Blame - Lib/test/test_ssl.py - platform/external/python/cpython3

2007-08-28 21:37:11 +0000

[diff] [blame]

1

# Test the support for SSL and sockets

2

3

import sys

4

import unittest

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

5

from test import support

Thomas Wouters

2007-08-28 21:37:11 +0000

[diff] [blame]

6

import socket

Bill Janssen

2007-11-15 22:23:56 +0000

[diff] [blame]

7

import select

Thomas Wouters

2007-08-28 21:37:11 +0000

[diff] [blame]

8

import time

Christian Heimes

9424bb4

2013-06-17 15:32:57 +0200

[diff] [blame]

9

import datetime

Antoine Pitrou

cfcd8ad

2010-04-23 23:31:47 +0000

[diff] [blame]

10

import gc

Thomas Wouters

2007-08-28 21:37:11 +0000

[diff] [blame]

11

import os

Antoine Pitrou

cfcd8ad

2010-04-23 23:31:47 +0000

[diff] [blame]

12

import errno

Thomas Wouters

2007-08-28 21:37:11 +0000

[diff] [blame]

13

import pprint

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

14

import tempfile

Antoine Pitrou

2010-10-13 10:36:15 +0000

[diff] [blame]

15

import urllib.request

Thomas Wouters

2007-08-28 21:37:11 +0000

[diff] [blame]

16

import traceback

Bill Janssen

2007-12-14 22:08:56 +0000

[diff] [blame]

17

import asyncore

Antoine Pitrou

9d54366

2010-04-23 23:10:32 +0000

[diff] [blame]

18

import weakref

Antoine Pitrou

2010-08-04 16:45:21 +0000

[diff] [blame]

19

import platform

Antoine Pitrou

2010-08-04 17:14:06 +0000

[diff] [blame]

20

import functools

Thomas Wouters

2007-08-28 21:37:11 +0000

[diff] [blame]

21

Antoine Pitrou

05d936d

2010-10-13 11:38:36 +0000

[diff] [blame]

22

ssl = support.import_module("ssl")

23

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

try:

import threading

except ImportError:

_have_threads = False

else:

_have_threads = True

Antoine Pitrou

2013-03-28 22:24:43 +0100

[diff] [blame]

31

PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

32

HOST = support.HOST

Christian Heimes

2016-09-05 23:19:05 +0200

[diff] [blame]

33

IS_LIBRESSL = ssl.OPENSSL_VERSION.startswith('LibreSSL')

34

IS_OPENSSL_1_1 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0)

35

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

36

Christian Heimes

2013-11-21 03:35:02 +0100

[diff] [blame]

37

def data_file(*name):

38

return os.path.join(os.path.dirname(__file__), *name)

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

39

Antoine Pitrou

8156409

2010-10-08 23:06:24 +0000

[diff] [blame]

40

# The custom key and certificate files used in test_ssl are generated

41

# using Lib/test/make_ssl_certs.py.

42

# Other certificates are simply fetched from the Internet servers they

43

# are meant to authenticate.

44

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

45

CERTFILE = data_file("keycert.pem")

Victor Stinner

313a120

2010-06-11 23:56:51 +0000

[diff] [blame]

46

BYTES_CERTFILE = os.fsencode(CERTFILE)

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

47

ONLYCERT = data_file("ssl_cert.pem")

48

ONLYKEY = data_file("ssl_key.pem")

Victor Stinner

313a120

2010-06-11 23:56:51 +0000

[diff] [blame]

49

BYTES_ONLYCERT = os.fsencode(ONLYCERT)

50

BYTES_ONLYKEY = os.fsencode(ONLYKEY)

Antoine Pitrou

4fd1e6a

2011-08-25 14:39:44 +0200

[diff] [blame]

51

CERTFILE_PROTECTED = data_file("keycert.passwd.pem")

52

ONLYKEY_PROTECTED = data_file("ssl_key.passwd.pem")

53

KEY_PASSWORD = "somepass"

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

54

CAPATH = data_file("capath")

Victor Stinner

313a120

2010-06-11 23:56:51 +0000

[diff] [blame]

55

BYTES_CAPATH = os.fsencode(CAPATH)

Christian Heimes

2013-11-21 03:35:02 +0100

[diff] [blame]

56

CAFILE_NEURONIO = data_file("capath", "4e1295a3.0")

57

CAFILE_CACERT = data_file("capath", "5ed36f99.0")

58

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

59

Christian Heimes

2013-11-21 23:56:13 +0100

[diff] [blame]

60

# empty CRL

61

CRLFILE = data_file("revocation.crl")

62

Antoine Pitrou

2013-01-05 21:20:29 +0100

[diff] [blame]

63

# Two keys and certs signed by the same CA (for SNI tests)

64

SIGNED_CERTFILE = data_file("keycert3.pem")

65

SIGNED_CERTFILE2 = data_file("keycert4.pem")

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

66

# Same certificate as pycacert.pem, but without extra text in file

67

SIGNING_CA = data_file("capath", "ceff1710.0")

Antoine Pitrou

2013-01-05 21:20:29 +0100

[diff] [blame]

68

Martin Panter

3d81d93

2016-01-14 09:36:00 +0000

[diff] [blame]

69

REMOTE_HOST = "self-signed.pythontest.net"

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

70

71

EMPTYCERT = data_file("nullcert.pem")

72

BADCERT = data_file("badcert.pem")

Martin Panter

2016-01-30 03:41:43 +0000

[diff] [blame]

73

NONEXISTINGCERT = data_file("XXXnonexisting.pem")

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

74

BADKEY = data_file("badkey.pem")

Antoine Pitrou

d8c347a

2011-10-01 19:20:25 +0200

[diff] [blame]

75

NOKIACERT = data_file("nokia.pem")

Christian Heimes

2013-08-17 00:54:47 +0200

[diff] [blame]

76

NULLBYTECERT = data_file("nullbytecert.pem")

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

77

Benjamin Peterson

a7eaf56

2015-04-02 00:04:06 -0400

[diff] [blame]

78

DHFILE = data_file("dh1024.pem")

Antoine Pitrou

2011-12-22 10:03:38 +0100

[diff] [blame]

79

BYTES_DHFILE = os.fsencode(DHFILE)

Thomas Wouters

2007-08-28 21:37:11 +0000

[diff] [blame]

80

Antoine Pitrou

2013-01-05 21:20:29 +0100

[diff] [blame]

81

Thomas Wouters

2007-08-28 21:37:11 +0000

[diff] [blame]

82

def handle_error(prefix):

83

exc_format = ' '.join(traceback.format_exception(*sys.exc_info()))

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

84

if support.verbose:

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

85

sys.stdout.write(prefix + exc_format)

Thomas Wouters

2007-08-28 21:37:11 +0000

[diff] [blame]

86

Antoine Pitrou

2010-05-21 09:56:06 +0000

[diff] [blame]

87

def can_clear_options():

88

# 0.9.8m or higher

Antoine Pitrou

b9ac25d

2011-07-08 18:47:06 +0200

[diff] [blame]

89

return ssl._OPENSSL_API_VERSION >= (0, 9, 8, 13, 15)

Antoine Pitrou

2010-05-21 09:56:06 +0000

[diff] [blame]

90

91

def no_sslv2_implies_sslv3_hello():

92

# 0.9.7h or higher

93

return ssl.OPENSSL_VERSION_INFO >= (0, 9, 7, 8, 15)

94

Christian Heimes

2427b50

2013-11-23 11:24:32 +0100

[diff] [blame]

95

def have_verify_flags():

96

# 0.9.8 or higher

97

return ssl.OPENSSL_VERSION_INFO >= (0, 9, 8, 0, 15)

98

Antoine Pitrou

c695c95

2014-04-28 20:57:36 +0200

[diff] [blame]

99

def utc_offset(): #NOTE: ignore issues like #1647654

100

# local time = utc time + utc offset

101

if time.daylight and time.localtime().tm_isdst > 0:

102

return -time.altzone # seconds

103

return -time.timezone

104

Christian Heimes

9424bb4

2013-06-17 15:32:57 +0200

[diff] [blame]

105

def asn1time(cert_time):

106

# Some versions of OpenSSL ignore seconds, see #18207

107

# 0.9.8.i

108

if ssl._OPENSSL_API_VERSION == (0, 9, 8, 9, 15):

109

fmt = "%b %d %H:%M:%S %Y GMT"

110

dt = datetime.datetime.strptime(cert_time, fmt)

111

dt = dt.replace(second=0)

112

cert_time = dt.strftime(fmt)

113

# %d adds leading zero but ASN1_TIME_print() uses leading space

114

if cert_time[4] == "0":

115

cert_time = cert_time[:4] + " " + cert_time[5:]

116

117

return cert_time

Thomas Wouters

2007-08-28 21:37:11 +0000

[diff] [blame]

118

Antoine Pitrou

2010-08-04 17:14:06 +0000

[diff] [blame]

119

# Issue #9415: Ubuntu hijacks their OpenSSL and forcefully disables SSLv2

120

def skip_if_broken_ubuntu_ssl(func):

Victor Stinner

2011-05-09 00:42:58 +0200

[diff] [blame]

121

if hasattr(ssl, 'PROTOCOL_SSLv2'):

122

@functools.wraps(func)

123

def f(*args, **kwargs):

124

try:

125

ssl.SSLContext(ssl.PROTOCOL_SSLv2)

126

except ssl.SSLError:

127

if (ssl.OPENSSL_VERSION_INFO == (0, 9, 8, 15, 15) and

128

platform.linux_distribution() == ('debian', 'squeeze/sid', '')):

129

raise unittest.SkipTest("Patched Ubuntu OpenSSL breaks behaviour")

130

return func(*args, **kwargs)

131

return f

132

else:

133

return func

Antoine Pitrou

2010-08-04 17:14:06 +0000

[diff] [blame]

134

Antoine Pitrou

2013-01-05 21:20:29 +0100

[diff] [blame]

135

needs_sni = unittest.skipUnless(ssl.HAS_SNI, "SNI support needed for this test")

136

Antoine Pitrou

2010-08-04 17:14:06 +0000

[diff] [blame]

137

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

138

class BasicSocketTests(unittest.TestCase):

Thomas Wouters

2007-08-28 21:37:11 +0000

[diff] [blame]

139

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

140

def test_constants(self):

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

141

ssl.CERT_NONE

142

ssl.CERT_OPTIONAL

143

ssl.CERT_REQUIRED

Antoine Pitrou

6db4944

2011-12-19 13:27:11 +0100

[diff] [blame]

144

ssl.OP_CIPHER_SERVER_PREFERENCE

Antoine Pitrou

2011-12-22 10:03:38 +0100

[diff] [blame]

145

ssl.OP_SINGLE_DH_USE

Antoine Pitrou

c135fa4

2012-02-19 21:22:39 +0100

[diff] [blame]

146

if ssl.HAS_ECDH:

147

ssl.OP_SINGLE_ECDH_USE

Antoine Pitrou

2011-12-20 10:13:40 +0100

[diff] [blame]

148

if ssl.OPENSSL_VERSION_INFO >= (1, 0):

149

ssl.OP_NO_COMPRESSION

Antoine Pitrou

d532321

2010-10-22 18:19:07 +0000

[diff] [blame]

150

self.assertIn(ssl.HAS_SNI, {True, False})

Antoine Pitrou

501da61

2011-12-21 09:27:41 +0100

[diff] [blame]

151

self.assertIn(ssl.HAS_ECDH, {True, False})

Thomas Wouters

2007-08-28 21:37:11 +0000

[diff] [blame]

152

Antoine Pitrou

172f025

2014-04-18 20:33:08 +0200

[diff] [blame]

153

def test_str_for_enums(self):

154

# Make sure that the PROTOCOL_* constants have enum-like string

155

# reprs.

Christian Heimes

2016-09-05 23:19:05 +0200

[diff] [blame]

156

proto = ssl.PROTOCOL_TLS

157

self.assertEqual(str(proto), '_SSLMethod.PROTOCOL_TLS')

Antoine Pitrou

172f025

2014-04-18 20:33:08 +0200

[diff] [blame]

158

ctx = ssl.SSLContext(proto)

159

self.assertIs(ctx.protocol, proto)

160

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

161

def test_random(self):

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

162

v = ssl.RAND_status()

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

163

if support.verbose:

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

164

sys.stdout.write("\n RAND_status is %d (%s)\n"

165

% (v, (v and "sufficient randomness") or

166

"insufficient randomness"))

Victor Stinner

99c8b16

2011-05-24 12:05:19 +0200

[diff] [blame]

167

168

data, is_cryptographic = ssl.RAND_pseudo_bytes(16)

169

self.assertEqual(len(data), 16)

170

self.assertEqual(is_cryptographic, v == 1)

171

if v:

172

data = ssl.RAND_bytes(16)

173

self.assertEqual(len(data), 16)

Victor Stinner

2e2baa9

2011-05-25 11:15:16 +0200

[diff] [blame]

174

else:

175

self.assertRaises(ssl.SSLError, ssl.RAND_bytes, 16)

Victor Stinner

99c8b16

2011-05-24 12:05:19 +0200

[diff] [blame]

176

Victor Stinner

1e81a39

2013-12-19 16:47:04 +0100

[diff] [blame]

177

# negative num is invalid

178

self.assertRaises(ValueError, ssl.RAND_bytes, -5)

179

self.assertRaises(ValueError, ssl.RAND_pseudo_bytes, -5)

180

Victor Stinner

beeb512

2014-11-28 13:28:25 +0100

[diff] [blame]

181

if hasattr(ssl, 'RAND_egd'):

182

self.assertRaises(TypeError, ssl.RAND_egd, 1)

183

self.assertRaises(TypeError, ssl.RAND_egd, 'foo', 1)

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

184

ssl.RAND_add("this is a random string", 75.0)

Serhiy Storchaka

8490f5a

2015-03-20 09:00:36 +0200

[diff] [blame]

185

ssl.RAND_add(b"this is a random bytes object", 75.0)

186

ssl.RAND_add(bytearray(b"this is a random bytearray object"), 75.0)

Thomas Wouters

2007-08-28 21:37:11 +0000

[diff] [blame]

187

Christian Heimes

f77b4b2

2013-08-21 13:26:05 +0200

[diff] [blame]

188

@unittest.skipUnless(os.name == 'posix', 'requires posix')

189

def test_random_fork(self):

190

status = ssl.RAND_status()

191

if not status:

192

self.fail("OpenSSL's PRNG has insufficient randomness")

rfd, wfd = os.pipe()

pid = os.fork()

if pid == 0:

try:

os.close(rfd)

child_random = ssl.RAND_pseudo_bytes(16)[0]

200

self.assertEqual(len(child_random), 16)

201

os.write(wfd, child_random)

202

os.close(wfd)

203

except BaseException:

os._exit(1)

else:

os._exit(0)

else:

os.close(wfd)

self.addCleanup(os.close, rfd)

210

_, status = os.waitpid(pid, 0)

211

self.assertEqual(status, 0)

212

213

child_random = os.read(rfd, 16)

214

self.assertEqual(len(child_random), 16)

215

parent_random = ssl.RAND_pseudo_bytes(16)[0]

216

self.assertEqual(len(parent_random), 16)

217

218

self.assertNotEqual(child_random, parent_random)

219

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

220

def test_parse_cert(self):

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

221

# note that this uses an 'unofficial' function in _ssl.c,

222

# provided solely for this test, to exercise the certificate

223

# parsing code

Antoine Pitrou

fb04691

2010-11-09 20:21:19 +0000

[diff] [blame]

224

p = ssl._ssl._test_decode_cert(CERTFILE)

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

225

if support.verbose:

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

226

sys.stdout.write("\n" + pprint.pformat(p) + "\n")

Antoine Pitrou

d8c347a

2011-10-01 19:20:25 +0200

[diff] [blame]

227

self.assertEqual(p['issuer'],

228

((('countryName', 'XY'),),

229

(('localityName', 'Castle Anthrax'),),

230

(('organizationName', 'Python Software Foundation'),),

231

(('commonName', 'localhost'),))

232

)

Antoine Pitrou

2013-01-05 21:20:29 +0100

[diff] [blame]

233

# Note the next three asserts will fail if the keys are regenerated

Christian Heimes

9424bb4

2013-06-17 15:32:57 +0200

[diff] [blame]

234

self.assertEqual(p['notAfter'], asn1time('Oct 5 23:01:56 2020 GMT'))

235

self.assertEqual(p['notBefore'], asn1time('Oct 8 23:01:56 2010 GMT'))

Antoine Pitrou

d8c347a

2011-10-01 19:20:25 +0200

[diff] [blame]

236

self.assertEqual(p['serialNumber'], 'D7C7381919AFC24E')

237

self.assertEqual(p['subject'],

238

((('countryName', 'XY'),),

239

(('localityName', 'Castle Anthrax'),),

240

(('organizationName', 'Python Software Foundation'),),

241

(('commonName', 'localhost'),))

242

)

243

self.assertEqual(p['subjectAltName'], (('DNS', 'localhost'),))

244

# Issue #13034: the subjectAltName in some certificates

245

# (notably projects.developer.nokia.com:443) wasn't parsed

246

p = ssl._ssl._test_decode_cert(NOKIACERT)

247

if support.verbose:

248

sys.stdout.write("\n" + pprint.pformat(p) + "\n")

249

self.assertEqual(p['subjectAltName'],

250

(('DNS', 'projects.developer.nokia.com'),

251

('DNS', 'projects.forum.nokia.com'))

252

)

Christian Heimes

bd3a7f9

2013-11-21 03:40:15 +0100

[diff] [blame]

253

# extra OCSP and AIA fields

254

self.assertEqual(p['OCSP'], ('http://ocsp.verisign.com',))

255

self.assertEqual(p['caIssuers'],

256

('http://SVRIntl-G3-aia.verisign.com/SVRIntlG3.cer',))

257

self.assertEqual(p['crlDistributionPoints'],

258

('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))

Thomas Wouters

2007-08-28 21:37:11 +0000

[diff] [blame]

259

Christian Heimes

2013-08-17 00:54:47 +0200

[diff] [blame]

260

def test_parse_cert_CVE_2013_4238(self):

261

p = ssl._ssl._test_decode_cert(NULLBYTECERT)

262

if support.verbose:

263

sys.stdout.write("\n" + pprint.pformat(p) + "\n")

264

subject = ((('countryName', 'US'),),

265

(('stateOrProvinceName', 'Oregon'),),

266

(('localityName', 'Beaverton'),),

267

(('organizationName', 'Python Software Foundation'),),

268

(('organizationalUnitName', 'Python Core Development'),),

269

(('commonName', 'null.python.org\x00example.org'),),

270

(('emailAddress', 'python-dev@python.org'),))

271

self.assertEqual(p['subject'], subject)

272

self.assertEqual(p['issuer'], subject)

Christian Heimes

157c983

2013-08-25 14:12:41 +0200

[diff] [blame]

273

if ssl._OPENSSL_API_VERSION >= (0, 9, 8):

274

san = (('DNS', 'altnull.python.org\x00example.com'),

275

('email', 'null@python.org\x00user@example.org'),

276

('URI', 'http://null.python.org\x00http://example.org'),

277

('IP Address', '192.0.2.1'),

278

('IP Address', '2001:DB8:0:0:0:0:0:1\n'))

279

else:

280

# OpenSSL 0.9.7 doesn't support IPv6 addresses in subjectAltName

281

san = (('DNS', 'altnull.python.org\x00example.com'),

282

('email', 'null@python.org\x00user@example.org'),

283

('URI', 'http://null.python.org\x00http://example.org'),

284

('IP Address', '192.0.2.1'),

285

('IP Address', '<invalid>'))

286

287

self.assertEqual(p['subjectAltName'], san)

Christian Heimes

2013-08-17 00:54:47 +0200

[diff] [blame]

288

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

289

def test_DER_to_PEM(self):

Martin Panter

3d81d93

2016-01-14 09:36:00 +0000

[diff] [blame]

290

with open(CAFILE_CACERT, 'r') as f:

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

291

pem = f.read()

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

292

d1 = ssl.PEM_cert_to_DER_cert(pem)

293

p2 = ssl.DER_cert_to_PEM_cert(d1)

294

d2 = ssl.PEM_cert_to_DER_cert(p2)

Antoine Pitrou

2010-04-27 10:59:39 +0000

[diff] [blame]

295

self.assertEqual(d1, d2)

Antoine Pitrou

9bfbe61

2010-04-27 22:08:08 +0000

[diff] [blame]

296

if not p2.startswith(ssl.PEM_HEADER + '\n'):

297

self.fail("DER-to-PEM didn't include correct header:\n%r\n" % p2)

298

if not p2.endswith('\n' + ssl.PEM_FOOTER + '\n'):

299

self.fail("DER-to-PEM didn't include correct footer:\n%r\n" % p2)

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

300

Antoine Pitrou

2010-04-05 21:40:07 +0000

[diff] [blame]

301

def test_openssl_version(self):

302

n = ssl.OPENSSL_VERSION_NUMBER

303

t = ssl.OPENSSL_VERSION_INFO

304

s = ssl.OPENSSL_VERSION

305

self.assertIsInstance(n, int)

306

self.assertIsInstance(t, tuple)

307

self.assertIsInstance(s, str)

308

# Some sanity checks follow

309

# >= 0.9

310

self.assertGreaterEqual(n, 0x900000)

Antoine Pitrou

2014-07-21 18:35:01 -0400

[diff] [blame]

311

# < 3.0

312

self.assertLess(n, 0x30000000)

Antoine Pitrou

2010-04-05 21:40:07 +0000

[diff] [blame]

313

major, minor, fix, patch, status = t

314

self.assertGreaterEqual(major, 0)

Antoine Pitrou

2014-07-21 18:35:01 -0400

[diff] [blame]

315

self.assertLess(major, 3)

Antoine Pitrou

2010-04-05 21:40:07 +0000

[diff] [blame]

316

self.assertGreaterEqual(minor, 0)

317

self.assertLess(minor, 256)

318

self.assertGreaterEqual(fix, 0)

319

self.assertLess(fix, 256)

320

self.assertGreaterEqual(patch, 0)

Ned Deily

05784a7

2015-02-05 17:20:13 +1100

[diff] [blame]

321

self.assertLessEqual(patch, 63)

Antoine Pitrou

2010-04-05 21:40:07 +0000

[diff] [blame]

322

self.assertGreaterEqual(status, 0)

323

self.assertLessEqual(status, 15)

Antoine Pitrou

2014-07-21 18:35:01 -0400

[diff] [blame]

324

# Version string as returned by {Open,Libre}SSL, the format might change

Christian Heimes

2016-09-05 23:19:05 +0200

[diff] [blame]

325

if IS_LIBRESSL:

326

self.assertTrue(s.startswith("LibreSSL {:d}".format(major)),

Victor Stinner

789b805

2015-01-06 11:51:06 +0100

[diff] [blame]

327

(s, t, hex(n)))

Antoine Pitrou

2014-07-21 18:35:01 -0400

[diff] [blame]

328

else:

329

self.assertTrue(s.startswith("OpenSSL {:d}.{:d}.{:d}".format(major, minor, fix)),

Victor Stinner

789b805

2015-01-06 11:51:06 +0100

[diff] [blame]

330

(s, t, hex(n)))

Antoine Pitrou

2010-04-05 21:40:07 +0000

[diff] [blame]

331

Antoine Pitrou

9d54366

2010-04-23 23:10:32 +0000

[diff] [blame]

332

@support.cpython_only

333

def test_refcycle(self):

334

# Issue #7943: an SSL object doesn't create reference cycles with

335

# itself.

336

s = socket.socket(socket.AF_INET)

337

ss = ssl.wrap_socket(s)

338

wr = weakref.ref(ss)

Antoine Pitrou

2013-01-12 21:54:44 +0100

[diff] [blame]

339

with support.check_warnings(("", ResourceWarning)):

340

del ss

Victor Stinner

e0b75b7

2016-03-21 17:26:04 +0100

[diff] [blame]

341

self.assertEqual(wr(), None)

Antoine Pitrou

9d54366

2010-04-23 23:10:32 +0000

[diff] [blame]

342

Antoine Pitrou

a468adc

2010-09-14 14:43:44 +0000

[diff] [blame]

343

def test_wrapped_unconnected(self):

344

# Methods on an unconnected SSLSocket propagate the original

Andrew Svetlov

2012-12-18 23:10:48 +0200

[diff] [blame]

345

# OSError raise by the underlying socket object.

Antoine Pitrou

a468adc

2010-09-14 14:43:44 +0000

[diff] [blame]

346

s = socket.socket(socket.AF_INET)

Antoine Pitrou

2013-01-12 21:54:44 +0100

[diff] [blame]

347

with ssl.wrap_socket(s) as ss:

Antoine Pitrou

e9bb473

2013-01-12 21:56:56 +0100

[diff] [blame]

348

self.assertRaises(OSError, ss.recv, 1)

349

self.assertRaises(OSError, ss.recv_into, bytearray(b'x'))

350

self.assertRaises(OSError, ss.recvfrom, 1)

351

self.assertRaises(OSError, ss.recvfrom_into, bytearray(b'x'), 1)

352

self.assertRaises(OSError, ss.send, b'x')

353

self.assertRaises(OSError, ss.sendto, b'x', ('0.0.0.0', 0))

Antoine Pitrou

a468adc

2010-09-14 14:43:44 +0000

[diff] [blame]

354

Antoine Pitrou

2010-04-24 22:04:40 +0000

[diff] [blame]

355

def test_timeout(self):

356

# Issue #8524: when creating an SSL socket, the timeout of the

357

# original socket should be retained.

358

for timeout in (None, 0.0, 5.0):

359

s = socket.socket(socket.AF_INET)

360

s.settimeout(timeout)

Antoine Pitrou

2013-01-12 21:54:44 +0100

[diff] [blame]

361

with ssl.wrap_socket(s) as ss:

362

self.assertEqual(timeout, ss.gettimeout())

Antoine Pitrou

2010-04-24 22:04:40 +0000

[diff] [blame]

363

Giampaolo Rodolà

745ab38

2010-08-29 19:25:49 +0000

[diff] [blame]

364

def test_errors(self):

365

sock = socket.socket()

Ezio Melotti

2010-12-01 02:32:32 +0000

[diff] [blame]

366

self.assertRaisesRegex(ValueError,

Giampaolo Rodolà

2010-08-30 18:28:05 +0000

[diff] [blame]

367

"certfile must be specified",

368

ssl.wrap_socket, sock, keyfile=CERTFILE)

Ezio Melotti

2010-12-01 02:32:32 +0000

[diff] [blame]

369

self.assertRaisesRegex(ValueError,

Giampaolo Rodolà

2010-08-30 18:28:05 +0000

[diff] [blame]

370

"certfile must be specified for server-side operations",

371

ssl.wrap_socket, sock, server_side=True)

Ezio Melotti

2010-12-01 02:32:32 +0000

[diff] [blame]

372

self.assertRaisesRegex(ValueError,

Giampaolo Rodolà

2010-08-30 18:28:05 +0000

[diff] [blame]

373

"certfile must be specified for server-side operations",

374

ssl.wrap_socket, sock, server_side=True, certfile="")

Antoine Pitrou

2013-01-12 21:54:44 +0100

[diff] [blame]

375

with ssl.wrap_socket(sock, server_side=True, certfile=CERTFILE) as s:

376

self.assertRaisesRegex(ValueError, "can't connect in server-side mode",

377

s.connect, (HOST, 8080))

Andrew Svetlov

2012-12-25 16:47:37 +0200

[diff] [blame]

378

with self.assertRaises(OSError) as cm:

Antoine Pitrou

2010-10-29 23:41:37 +0000

[diff] [blame]

379

with socket.socket() as sock:

Martin Panter

2016-01-30 03:41:43 +0000

[diff] [blame]

380

ssl.wrap_socket(sock, certfile=NONEXISTINGCERT)

Giampaolo Rodolà

2010-08-29 22:50:39 +0000

[diff] [blame]

381

self.assertEqual(cm.exception.errno, errno.ENOENT)

Andrew Svetlov

2012-12-25 16:47:37 +0200

[diff] [blame]

382

with self.assertRaises(OSError) as cm:

Antoine Pitrou

2010-10-29 23:41:37 +0000

[diff] [blame]

383

with socket.socket() as sock:

Martin Panter

2016-01-30 03:41:43 +0000

[diff] [blame]

384

ssl.wrap_socket(sock,

385

certfile=CERTFILE, keyfile=NONEXISTINGCERT)

Giampaolo Rodolà

2010-08-30 18:28:05 +0000

[diff] [blame]

386

self.assertEqual(cm.exception.errno, errno.ENOENT)

Andrew Svetlov

2012-12-25 16:47:37 +0200

[diff] [blame]

387

with self.assertRaises(OSError) as cm:

Antoine Pitrou

2010-10-29 23:41:37 +0000

[diff] [blame]

388

with socket.socket() as sock:

Martin Panter

2016-01-30 03:41:43 +0000

[diff] [blame]

389

ssl.wrap_socket(sock,

390

certfile=NONEXISTINGCERT, keyfile=NONEXISTINGCERT)

Giampaolo Rodolà

2010-08-29 22:50:39 +0000

[diff] [blame]

391

self.assertEqual(cm.exception.errno, errno.ENOENT)

Giampaolo Rodolà

745ab38

2010-08-29 19:25:49 +0000

[diff] [blame]

392

Martin Panter

3464ea2

2016-02-01 21:58:11 +0000

[diff] [blame]

393

def bad_cert_test(self, certfile):

394

"""Check that trying to use the given client certificate fails"""

395

certfile = os.path.join(os.path.dirname(__file__) or os.curdir,

396

certfile)

397

sock = socket.socket()

398

self.addCleanup(sock.close)

399

with self.assertRaises(ssl.SSLError):

400

ssl.wrap_socket(sock,

401

certfile=certfile,

402

ssl_version=ssl.PROTOCOL_TLSv1)

403

404

def test_empty_cert(self):

405

"""Wrapping with an empty cert file"""

406

self.bad_cert_test("nullcert.pem")

407

408

def test_malformed_cert(self):

409

"""Wrapping with a badly formatted certificate (syntax error)"""

410

self.bad_cert_test("badcert.pem")

411

412

def test_malformed_key(self):

413

"""Wrapping with a badly formatted key (syntax error)"""

414

self.bad_cert_test("badkey.pem")

415

Antoine Pitrou

2010-10-08 10:37:08 +0000

[diff] [blame]

416

def test_match_hostname(self):

417

def ok(cert, hostname):

418

ssl.match_hostname(cert, hostname)

419

def fail(cert, hostname):

420

self.assertRaises(ssl.CertificateError,

421

ssl.match_hostname, cert, hostname)

422

Antoine Pitrou

c481bfb

2015-02-15 18:12:20 +0100

[diff] [blame]

423

# -- Hostname matching --

424

Antoine Pitrou

2010-10-08 10:37:08 +0000

[diff] [blame]

425

cert = {'subject': ((('commonName', 'example.com'),),)}

426

ok(cert, 'example.com')

427

ok(cert, 'ExAmple.cOm')

428

fail(cert, 'www.example.com')

429

fail(cert, '.example.com')

430

fail(cert, 'example.org')

431

fail(cert, 'exampleXcom')

432

433

cert = {'subject': ((('commonName', '*.a.com'),),)}

434

ok(cert, 'foo.a.com')

435

fail(cert, 'bar.foo.a.com')

fail(cert, 'a.com')

fail(cert, 'Xa.com')

fail(cert, '.a.com')

Georg Brandl

2013-10-27 07:16:53 +0100

[diff] [blame]

440

# only match one left-most wildcard

Antoine Pitrou

2010-10-08 10:37:08 +0000

[diff] [blame]

441

cert = {'subject': ((('commonName', 'f*.com'),),)}

442

ok(cert, 'foo.com')

443

ok(cert, 'f.com')

444

fail(cert, 'bar.com')

445

fail(cert, 'foo.a.com')

446

fail(cert, 'bar.foo.com')

447

Christian Heimes

2013-08-17 00:54:47 +0200

[diff] [blame]

448

# NULL bytes are bad, CVE-2013-4073

449

cert = {'subject': ((('commonName',

450

'null.python.org\x00example.org'),),)}

451

ok(cert, 'null.python.org\x00example.org') # or raise an error?

452

fail(cert, 'example.org')

453

fail(cert, 'null.python.org')

454

Georg Brandl

72c98d3

2013-10-27 07:16:53 +0100

[diff] [blame]

455

# error cases with wildcards

456

cert = {'subject': ((('commonName', '*.*.a.com'),),)}

457

fail(cert, 'bar.foo.a.com')

fail(cert, 'a.com')

fail(cert, 'Xa.com')

fail(cert, '.a.com')

cert = {'subject': ((('commonName', 'a.*.com'),),)}

463

fail(cert, 'a.foo.com')

fail(cert, 'a..com')

fail(cert, 'a.com')

# wildcard doesn't match IDNA prefix 'xn--'

468

idna = 'püthon.python.org'.encode("idna").decode("ascii")

469

cert = {'subject': ((('commonName', idna),),)}

470

ok(cert, idna)

471

cert = {'subject': ((('commonName', 'x*.python.org'),),)}

472

fail(cert, idna)

473

cert = {'subject': ((('commonName', 'xn--p*.python.org'),),)}

474

fail(cert, idna)

475

476

# wildcard in first fragment and IDNA A-labels in sequent fragments

477

# are supported.

478

idna = 'www*.pythön.org'.encode("idna").decode("ascii")

479

cert = {'subject': ((('commonName', idna),),)}

480

ok(cert, 'www.pythön.org'.encode("idna").decode("ascii"))

481

ok(cert, 'www1.pythön.org'.encode("idna").decode("ascii"))

482

fail(cert, 'ftp.pythön.org'.encode("idna").decode("ascii"))

483

fail(cert, 'pythön.org'.encode("idna").decode("ascii"))

484

Antoine Pitrou

2010-10-08 10:37:08 +0000

[diff] [blame]

485

# Slightly fake real-world example

486

cert = {'notAfter': 'Jun 26 21:41:46 2011 GMT',

487

'subject': ((('commonName', 'linuxfrz.org'),),),

488

'subjectAltName': (('DNS', 'linuxfr.org'),

489

('DNS', 'linuxfr.com'),

490

('othername', '<unsupported>'))}

491

ok(cert, 'linuxfr.org')

492

ok(cert, 'linuxfr.com')

493

# Not a "DNS" entry

494

fail(cert, '<unsupported>')

495

# When there is a subjectAltName, commonName isn't used

496

fail(cert, 'linuxfrz.org')

497

498

# A pristine real-world example

499

cert = {'notAfter': 'Dec 18 23:59:59 2011 GMT',

500

'subject': ((('countryName', 'US'),),

501

(('stateOrProvinceName', 'California'),),

502

(('localityName', 'Mountain View'),),

503

(('organizationName', 'Google Inc'),),

504

(('commonName', 'mail.google.com'),))}

505

ok(cert, 'mail.google.com')

506

fail(cert, 'gmail.com')

507

# Only commonName is considered

508

fail(cert, 'California')

509

Antoine Pitrou

c481bfb

2015-02-15 18:12:20 +0100

[diff] [blame]

510

# -- IPv4 matching --

511

cert = {'subject': ((('commonName', 'example.com'),),),

512

'subjectAltName': (('DNS', 'example.com'),

513

('IP Address', '10.11.12.13'),

514

('IP Address', '14.15.16.17'))}

515

ok(cert, '10.11.12.13')

516

ok(cert, '14.15.16.17')

517

fail(cert, '14.15.16.18')

518

fail(cert, 'example.net')

519

520

# -- IPv6 matching --

521

cert = {'subject': ((('commonName', 'example.com'),),),

522

'subjectAltName': (('DNS', 'example.com'),

523

('IP Address', '2001:0:0:0:0:0:0:CAFE\n'),

524

('IP Address', '2003:0:0:0:0:0:0:BABA\n'))}

525

ok(cert, '2001::cafe')

526

ok(cert, '2003::baba')

527

fail(cert, '2003::bebe')

528

fail(cert, 'example.net')

529

530

# -- Miscellaneous --

531

Antoine Pitrou

2010-10-08 10:37:08 +0000

[diff] [blame]

532

# Neither commonName nor subjectAltName

533

cert = {'notAfter': 'Dec 18 23:59:59 2011 GMT',

534

'subject': ((('countryName', 'US'),),

535

(('stateOrProvinceName', 'California'),),

536

(('localityName', 'Mountain View'),),

537

(('organizationName', 'Google Inc'),))}

538

fail(cert, 'mail.google.com')

539

Antoine Pitrou

1c86b44

2011-05-06 15:19:49 +0200

[diff] [blame]

540

# No DNS entry in subjectAltName but a commonName

541

cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',

542

'subject': ((('countryName', 'US'),),

543

(('stateOrProvinceName', 'California'),),

544

(('localityName', 'Mountain View'),),

545

(('commonName', 'mail.google.com'),)),

546

'subjectAltName': (('othername', 'blabla'), )}

547

ok(cert, 'mail.google.com')

548

549

# No DNS entry subjectAltName and no commonName

550

cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',

551

'subject': ((('countryName', 'US'),),

552

(('stateOrProvinceName', 'California'),),

553

(('localityName', 'Mountain View'),),

554

(('organizationName', 'Google Inc'),)),

555

'subjectAltName': (('othername', 'blabla'),)}

556

fail(cert, 'google.com')

557

Antoine Pitrou

2010-10-08 10:37:08 +0000

[diff] [blame]

558

# Empty cert / no cert

559

self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')

560

self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')

561

Antoine Pitrou

636f93c

2013-05-18 17:56:42 +0200

[diff] [blame]

562

# Issue #17980: avoid denials of service by refusing more than one

563

# wildcard per fragment.

564

cert = {'subject': ((('commonName', 'a*b.com'),),)}

565

ok(cert, 'axxb.com')

566

cert = {'subject': ((('commonName', 'a*b.co*'),),)}

Georg Brandl

72c98d3

2013-10-27 07:16:53 +0100

[diff] [blame]

567

fail(cert, 'axxb.com')

Antoine Pitrou

636f93c

2013-05-18 17:56:42 +0200

[diff] [blame]

568

cert = {'subject': ((('commonName', 'a*b*.com'),),)}

569

with self.assertRaises(ssl.CertificateError) as cm:

570

ssl.match_hostname(cert, 'axxbxxc.com')

571

self.assertIn("too many wildcards", str(cm.exception))

572

Antoine Pitrou

d532321

2010-10-22 18:19:07 +0000

[diff] [blame]

573

def test_server_side(self):

574

# server_hostname doesn't work for server sockets

575

ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

Antoine Pitrou

2010-10-29 23:41:37 +0000

[diff] [blame]

576

with socket.socket() as sock:

577

self.assertRaises(ValueError, ctx.wrap_socket, sock, True,

578

server_hostname="some.hostname")

Antoine Pitrou

2010-04-05 21:40:07 +0000

[diff] [blame]

579

Antoine Pitrou

2011-07-21 01:11:30 +0200

[diff] [blame]

580

def test_unknown_channel_binding(self):

581

# should raise ValueError for unknown type

582

s = socket.socket(socket.AF_INET)

Antoine Pitrou

2014-10-05 20:41:53 +0200

[diff] [blame]

583

s.bind(('127.0.0.1', 0))

584

s.listen()

585

c = socket.socket(socket.AF_INET)

586

c.connect(s.getsockname())

587

with ssl.wrap_socket(c, do_handshake_on_connect=False) as ss:

Antoine Pitrou

2013-01-12 21:54:44 +0100

[diff] [blame]

588

with self.assertRaises(ValueError):

589

ss.get_channel_binding("unknown-type")

Antoine Pitrou

2014-10-05 20:41:53 +0200

[diff] [blame]

590

s.close()

Antoine Pitrou

2011-07-21 01:11:30 +0200

[diff] [blame]

591

592

@unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,

593

"'tls-unique' channel binding not available")

594

def test_tls_unique_channel_binding(self):

595

# unconnected should return None for known type

596

s = socket.socket(socket.AF_INET)

Antoine Pitrou

2013-01-12 21:54:44 +0100

[diff] [blame]

597

with ssl.wrap_socket(s) as ss:

598

self.assertIsNone(ss.get_channel_binding("tls-unique"))

Antoine Pitrou

2011-07-21 01:11:30 +0200

[diff] [blame]

599

# the same for server-side

600

s = socket.socket(socket.AF_INET)

Antoine Pitrou

2013-01-12 21:54:44 +0100

[diff] [blame]

601

with ssl.wrap_socket(s, server_side=True, certfile=CERTFILE) as ss:

602

self.assertIsNone(ss.get_channel_binding("tls-unique"))

Antoine Pitrou

2011-07-21 01:11:30 +0200

[diff] [blame]

603

Benjamin Peterson

36f7b97

2013-01-10 14:16:20 -0600

[diff] [blame]

604

def test_dealloc_warn(self):

605

ss = ssl.wrap_socket(socket.socket(socket.AF_INET))

606

r = repr(ss)

607

with self.assertWarns(ResourceWarning) as cm:

608

ss = None

609

support.gc_collect()

610

self.assertIn(r, str(cm.warning.args[0]))

611

Christian Heimes

6d7ad13

2013-06-09 18:02:55 +0200

[diff] [blame]

612

def test_get_default_verify_paths(self):

613

paths = ssl.get_default_verify_paths()

614

self.assertEqual(len(paths), 6)

615

self.assertIsInstance(paths, ssl.DefaultVerifyPaths)

616

617

with support.EnvironmentVarGuard() as env:

618

env["SSL_CERT_DIR"] = CAPATH

619

env["SSL_CERT_FILE"] = CERTFILE

620

paths = ssl.get_default_verify_paths()

621

self.assertEqual(paths.cafile, CERTFILE)

622

self.assertEqual(paths.capath, CAPATH)

623

Christian Heimes

2013-11-22 01:51:30 +0100

[diff] [blame]

624

@unittest.skipUnless(sys.platform == "win32", "Windows specific")

625

def test_enum_certificates(self):

626

self.assertTrue(ssl.enum_certificates("CA"))

627

self.assertTrue(ssl.enum_certificates("ROOT"))

628

629

self.assertRaises(TypeError, ssl.enum_certificates)

630

self.assertRaises(WindowsError, ssl.enum_certificates, "")

631

Christian Heimes

c2d65e1

2013-11-22 16:13:55 +0100

[diff] [blame]

632

trust_oids = set()

633

for storename in ("CA", "ROOT"):

634

store = ssl.enum_certificates(storename)

635

self.assertIsInstance(store, list)

636

for element in store:

637

self.assertIsInstance(element, tuple)

638

self.assertEqual(len(element), 3)

639

cert, enc, trust = element

640

self.assertIsInstance(cert, bytes)

641

self.assertIn(enc, {"x509_asn", "pkcs_7_asn"})

642

self.assertIsInstance(trust, (set, bool))

643

if isinstance(trust, set):

644

trust_oids.update(trust)

Christian Heimes

2013-11-22 01:51:30 +0100

[diff] [blame]

645

646

serverAuth = "1.3.6.1.5.5.7.3.1"

Christian Heimes

c2d65e1

2013-11-22 16:13:55 +0100

[diff] [blame]

647

self.assertIn(serverAuth, trust_oids)

Christian Heimes

6d7ad13

2013-06-09 18:02:55 +0200

[diff] [blame]

648

Christian Heimes

2013-06-09 19:03:31 +0200

[diff] [blame]

649

@unittest.skipUnless(sys.platform == "win32", "Windows specific")

Christian Heimes

2013-11-22 01:51:30 +0100

[diff] [blame]

650

def test_enum_crls(self):

651

self.assertTrue(ssl.enum_crls("CA"))

652

self.assertRaises(TypeError, ssl.enum_crls)

653

self.assertRaises(WindowsError, ssl.enum_crls, "")

Christian Heimes

2013-06-09 19:03:31 +0200

[diff] [blame]

654

Christian Heimes

2013-11-22 01:51:30 +0100

[diff] [blame]

655

crls = ssl.enum_crls("CA")

656

self.assertIsInstance(crls, list)

657

for element in crls:

658

self.assertIsInstance(element, tuple)

659

self.assertEqual(len(element), 2)

660

self.assertIsInstance(element[0], bytes)

661

self.assertIn(element[1], {"x509_asn", "pkcs_7_asn"})

Christian Heimes

2013-06-09 19:03:31 +0200

[diff] [blame]

662

Christian Heimes

2013-06-09 19:03:31 +0200

[diff] [blame]

663

Christian Heimes

2013-11-17 19:59:14 +0100

[diff] [blame]

664

def test_asn1object(self):

665

expected = (129, 'serverAuth', 'TLS Web Server Authentication',

666

'1.3.6.1.5.5.7.3.1')

667

668

val = ssl._ASN1Object('1.3.6.1.5.5.7.3.1')

669

self.assertEqual(val, expected)

670

self.assertEqual(val.nid, 129)

671

self.assertEqual(val.shortname, 'serverAuth')

672

self.assertEqual(val.longname, 'TLS Web Server Authentication')

673

self.assertEqual(val.oid, '1.3.6.1.5.5.7.3.1')

674

self.assertIsInstance(val, ssl._ASN1Object)

675

self.assertRaises(ValueError, ssl._ASN1Object, 'serverAuth')

676

677

val = ssl._ASN1Object.fromnid(129)

678

self.assertEqual(val, expected)

679

self.assertIsInstance(val, ssl._ASN1Object)

680

self.assertRaises(ValueError, ssl._ASN1Object.fromnid, -1)

Christian Heimes

5398e1a

2013-11-22 16:20:53 +0100

[diff] [blame]

681

with self.assertRaisesRegex(ValueError, "unknown NID 100000"):

682

ssl._ASN1Object.fromnid(100000)

Christian Heimes

2013-11-17 19:59:14 +0100

[diff] [blame]

683

for i in range(1000):

684

try:

685

obj = ssl._ASN1Object.fromnid(i)

except ValueError:

pass

else:

self.assertIsInstance(obj.nid, int)

690

self.assertIsInstance(obj.shortname, str)

691

self.assertIsInstance(obj.longname, str)

692

self.assertIsInstance(obj.oid, (str, type(None)))

693

694

val = ssl._ASN1Object.fromname('TLS Web Server Authentication')

695

self.assertEqual(val, expected)

696

self.assertIsInstance(val, ssl._ASN1Object)

697

self.assertEqual(ssl._ASN1Object.fromname('serverAuth'), expected)

698

self.assertEqual(ssl._ASN1Object.fromname('1.3.6.1.5.5.7.3.1'),

699

expected)

Christian Heimes

5398e1a

2013-11-22 16:20:53 +0100

[diff] [blame]

700

with self.assertRaisesRegex(ValueError, "unknown object 'serverauth'"):

701

ssl._ASN1Object.fromname('serverauth')

Christian Heimes

2013-11-17 19:59:14 +0100

[diff] [blame]

702

Christian Heimes

72d2850

2013-11-23 13:56:58 +0100

[diff] [blame]

703

def test_purpose_enum(self):

704

val = ssl._ASN1Object('1.3.6.1.5.5.7.3.1')

705

self.assertIsInstance(ssl.Purpose.SERVER_AUTH, ssl._ASN1Object)

706

self.assertEqual(ssl.Purpose.SERVER_AUTH, val)

707

self.assertEqual(ssl.Purpose.SERVER_AUTH.nid, 129)

708

self.assertEqual(ssl.Purpose.SERVER_AUTH.shortname, 'serverAuth')

709

self.assertEqual(ssl.Purpose.SERVER_AUTH.oid,

710

'1.3.6.1.5.5.7.3.1')

711

712

val = ssl._ASN1Object('1.3.6.1.5.5.7.3.2')

713

self.assertIsInstance(ssl.Purpose.CLIENT_AUTH, ssl._ASN1Object)

714

self.assertEqual(ssl.Purpose.CLIENT_AUTH, val)

715

self.assertEqual(ssl.Purpose.CLIENT_AUTH.nid, 130)

716

self.assertEqual(ssl.Purpose.CLIENT_AUTH.shortname, 'clientAuth')

717

self.assertEqual(ssl.Purpose.CLIENT_AUTH.oid,

718

'1.3.6.1.5.5.7.3.2')

719

Antoine Pitrou

3e86ba4

2013-12-28 17:26:33 +0100

[diff] [blame]

720

def test_unsupported_dtls(self):

721

s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

722

self.addCleanup(s.close)

723

with self.assertRaises(NotImplementedError) as cx:

724

ssl.wrap_socket(s, cert_reqs=ssl.CERT_NONE)

725

self.assertEqual(str(cx.exception), "only stream sockets are supported")

726

ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

727

with self.assertRaises(NotImplementedError) as cx:

728

ctx.wrap_socket(s)

729

self.assertEqual(str(cx.exception), "only stream sockets are supported")

730

Antoine Pitrou

c695c95

2014-04-28 20:57:36 +0200

[diff] [blame]

731

def cert_time_ok(self, timestring, timestamp):

732

self.assertEqual(ssl.cert_time_to_seconds(timestring), timestamp)

733

734

def cert_time_fail(self, timestring):

735

with self.assertRaises(ValueError):

736

ssl.cert_time_to_seconds(timestring)

737

738

@unittest.skipUnless(utc_offset(),

739

'local time needs to be different from UTC')

740

def test_cert_time_to_seconds_timezone(self):

741

# Issue #19940: ssl.cert_time_to_seconds() returns wrong

742

# results if local timezone is not UTC

743

self.cert_time_ok("May 9 00:00:00 2007 GMT", 1178668800.0)

744

self.cert_time_ok("Jan 5 09:34:43 2018 GMT", 1515144883.0)

745

746

def test_cert_time_to_seconds(self):

747

timestring = "Jan 5 09:34:43 2018 GMT"

748

ts = 1515144883.0

749

self.cert_time_ok(timestring, ts)

750

# accept keyword parameter, assert its name

751

self.assertEqual(ssl.cert_time_to_seconds(cert_time=timestring), ts)

752

# accept both %e and %d (space or zero generated by strftime)

753

self.cert_time_ok("Jan 05 09:34:43 2018 GMT", ts)

754

# case-insensitive

755

self.cert_time_ok("JaN 5 09:34:43 2018 GmT", ts)

756

self.cert_time_fail("Jan 5 09:34 2018 GMT") # no seconds

757

self.cert_time_fail("Jan 5 09:34:43 2018") # no GMT

758

self.cert_time_fail("Jan 5 09:34:43 2018 UTC") # not GMT timezone

759

self.cert_time_fail("Jan 35 09:34:43 2018 GMT") # invalid day

760

self.cert_time_fail("Jon 5 09:34:43 2018 GMT") # invalid month

761

self.cert_time_fail("Jan 5 24:00:00 2018 GMT") # invalid hour

762

self.cert_time_fail("Jan 5 09:60:43 2018 GMT") # invalid minute

763

764

newyear_ts = 1230768000.0

765

# leap seconds

766

self.cert_time_ok("Dec 31 23:59:60 2008 GMT", newyear_ts)

767

# same timestamp

768

self.cert_time_ok("Jan 1 00:00:00 2009 GMT", newyear_ts)

769

770

self.cert_time_ok("Jan 5 09:34:59 2018 GMT", 1515144899)

771

# allow 60th second (even if it is not a leap second)

772

self.cert_time_ok("Jan 5 09:34:60 2018 GMT", 1515144900)

773

# allow 2nd leap second for compatibility with time.strptime()

774

self.cert_time_ok("Jan 5 09:34:61 2018 GMT", 1515144901)

775

self.cert_time_fail("Jan 5 09:34:62 2018 GMT") # invalid seconds

776

777

# no special treatement for the special value:

778

# 99991231235959Z (rfc 5280)

779

self.cert_time_ok("Dec 31 23:59:59 9999 GMT", 253402300799.0)

780

781

@support.run_with_locale('LC_ALL', '')

782

def test_cert_time_to_seconds_locale(self):

783

# `cert_time_to_seconds()` should be locale independent

784

785

def local_february_name():

786

return time.strftime('%b', (1, 2, 3, 4, 5, 6, 0, 0, 0))

787

788

if local_february_name().lower() == 'feb':

789

self.skipTest("locale-specific month name needs to be "

790

"different from C locale")

791

792

# locale-independent

793

self.cert_time_ok("Feb 9 00:00:00 2007 GMT", 1170979200.0)

794

self.cert_time_fail(local_february_name() + " 9 00:00:00 2007 GMT")

795

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

796

def test_connect_ex_error(self):

797

server = socket.socket(socket.AF_INET)

798

self.addCleanup(server.close)

799

port = support.bind_port(server) # Reserve port but don't listen

800

s = ssl.wrap_socket(socket.socket(socket.AF_INET),

801

cert_reqs=ssl.CERT_REQUIRED)

802

self.addCleanup(s.close)

803

rc = s.connect_ex((HOST, port))

804

# Issue #19919: Windows machines or VMs hosted on Windows

805

# machines sometimes return EWOULDBLOCK.

806

errors = (

807

errno.ECONNREFUSED, errno.EHOSTUNREACH, errno.ETIMEDOUT,

808

errno.EWOULDBLOCK,

809

)

810

self.assertIn(rc, errors)

811

Christian Heimes

2013-11-17 19:59:14 +0100

[diff] [blame]

812

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

813

class ContextTests(unittest.TestCase):

814

Antoine Pitrou

2010-08-04 17:14:06 +0000

[diff] [blame]

815

@skip_if_broken_ubuntu_ssl

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

816

def test_constructor(self):

Antoine Pitrou

2013-03-28 22:24:43 +0100

[diff] [blame]

817

for protocol in PROTOCOLS:

818

ssl.SSLContext(protocol)

Christian Heimes

2016-09-05 23:19:05 +0200

[diff] [blame]

819

ctx = ssl.SSLContext()

820

self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS)

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

821

self.assertRaises(ValueError, ssl.SSLContext, -1)

822

self.assertRaises(ValueError, ssl.SSLContext, 42)

823

Antoine Pitrou

2010-08-04 17:14:06 +0000

[diff] [blame]

824

@skip_if_broken_ubuntu_ssl

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

825

def test_protocol(self):

826

for proto in PROTOCOLS:

827

ctx = ssl.SSLContext(proto)

828

self.assertEqual(ctx.protocol, proto)

829

830

def test_ciphers(self):

831

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

832

ctx.set_ciphers("ALL")

833

ctx.set_ciphers("DEFAULT")

Ezio Melotti

2010-12-01 02:32:32 +0000

[diff] [blame]

834

with self.assertRaisesRegex(ssl.SSLError, "No cipher can be selected"):

Antoine Pitrou

3047406

2010-05-16 23:46:26 +0000

[diff] [blame]

835

ctx.set_ciphers("^$:,;?*'dorothyx")

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

836

Christian Heimes

25bfcd5

2016-09-06 00:04:45 +0200

[diff] [blame]

837

@unittest.skipIf(ssl.OPENSSL_VERSION_INFO < (1, 0, 2, 0, 0), 'OpenSSL too old')

838

def test_get_ciphers(self):

839

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

Christian Heimes

ea9b2dc

2016-09-06 10:45:44 +0200

[diff] [blame]

840

ctx.set_ciphers('AESGCM')

Christian Heimes

25bfcd5

2016-09-06 00:04:45 +0200

[diff] [blame]

841

names = set(d['name'] for d in ctx.get_ciphers())

Christian Heimes

582282b

2016-09-06 11:27:25 +0200

[diff] [blame]

842

self.assertIn('AES256-GCM-SHA384', names)

843

self.assertIn('AES128-GCM-SHA256', names)

Christian Heimes

25bfcd5

2016-09-06 00:04:45 +0200

[diff] [blame]

844

Antoine Pitrou

2010-08-04 17:14:06 +0000

[diff] [blame]

845

@skip_if_broken_ubuntu_ssl

Antoine Pitrou

2010-05-21 09:56:06 +0000

[diff] [blame]

846

def test_options(self):

847

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

Benjamin Peterson

2015-11-11 22:38:41 -0800

[diff] [blame]

848

# OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value

Christian Heimes

2016-09-05 23:19:05 +0200

[diff] [blame]

849

default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)

850

if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0):

851

default |= ssl.OP_NO_COMPRESSION

852

self.assertEqual(default, ctx.options)

Benjamin Peterson

2015-11-11 22:38:41 -0800

[diff] [blame]

853

ctx.options |= ssl.OP_NO_TLSv1

Christian Heimes

2016-09-05 23:19:05 +0200

[diff] [blame]

854

self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)

Antoine Pitrou

2010-05-21 09:56:06 +0000

[diff] [blame]

855

if can_clear_options():

Christian Heimes

2016-09-05 23:19:05 +0200

[diff] [blame]

856

ctx.options = (ctx.options & ~ssl.OP_NO_TLSv1)

857

self.assertEqual(default, ctx.options)

Antoine Pitrou

2010-05-21 09:56:06 +0000

[diff] [blame]

858

ctx.options = 0

Matthias Klose

f7c5624

2016-06-12 23:40:00 -0700

[diff] [blame]

859

# Ubuntu has OP_NO_SSLv3 forced on by default

860

self.assertEqual(0, ctx.options & ~ssl.OP_NO_SSLv3)

Antoine Pitrou

2010-05-21 09:56:06 +0000

[diff] [blame]

861

else:

862

with self.assertRaises(ValueError):

863

ctx.options = 0

864

Christian Heimes

2013-11-21 23:56:13 +0100

[diff] [blame]

865

def test_verify_mode(self):

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

866

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

867

# Default value

868

self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)

869

ctx.verify_mode = ssl.CERT_OPTIONAL

870

self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)

871

ctx.verify_mode = ssl.CERT_REQUIRED

872

self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)

873

ctx.verify_mode = ssl.CERT_NONE

874

self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)

875

with self.assertRaises(TypeError):

876

ctx.verify_mode = None

877

with self.assertRaises(ValueError):

878

ctx.verify_mode = 42

879

Christian Heimes

2427b50

2013-11-23 11:24:32 +0100

[diff] [blame]

880

@unittest.skipUnless(have_verify_flags(),

881

"verify_flags need OpenSSL > 0.9.8")

Christian Heimes

2013-11-21 23:56:13 +0100

[diff] [blame]

882

def test_verify_flags(self):

883

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

Benjamin Peterson

990fcaa

2015-03-04 22:49:41 -0500

[diff] [blame]

884

# default value

885

tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)

886

self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT | tf)

Christian Heimes

2013-11-21 23:56:13 +0100

[diff] [blame]

887

ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF

888

self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_LEAF)

889

ctx.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN

890

self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_CHAIN)

891

ctx.verify_flags = ssl.VERIFY_DEFAULT

892

self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT)

893

# supports any value

894

ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF | ssl.VERIFY_X509_STRICT

895

self.assertEqual(ctx.verify_flags,

896

ssl.VERIFY_CRL_CHECK_LEAF | ssl.VERIFY_X509_STRICT)

897

with self.assertRaises(TypeError):

898

ctx.verify_flags = None

899

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

900

def test_load_cert_chain(self):

901

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

902

# Combined key and cert in a single file

Benjamin Peterson

1ea070e

2014-11-03 21:05:01 -0500

[diff] [blame]

903

ctx.load_cert_chain(CERTFILE, keyfile=None)

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

904

ctx.load_cert_chain(CERTFILE, keyfile=CERTFILE)

905

self.assertRaises(TypeError, ctx.load_cert_chain, keyfile=CERTFILE)

Andrew Svetlov

2012-12-25 16:47:37 +0200

[diff] [blame]

906

with self.assertRaises(OSError) as cm:

Martin Panter

2016-01-30 03:41:43 +0000

[diff] [blame]

907

ctx.load_cert_chain(NONEXISTINGCERT)

Giampaolo Rodolà

2010-08-29 22:50:39 +0000

[diff] [blame]

908

self.assertEqual(cm.exception.errno, errno.ENOENT)

Ezio Melotti

2010-12-01 02:32:32 +0000

[diff] [blame]

909

with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

910

ctx.load_cert_chain(BADCERT)

Ezio Melotti

2010-12-01 02:32:32 +0000

[diff] [blame]

911

with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

912

ctx.load_cert_chain(EMPTYCERT)

913

# Separate key and cert

Antoine Pitrou

d091950

2010-05-17 10:30:00 +0000

[diff] [blame]

914

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

915

ctx.load_cert_chain(ONLYCERT, ONLYKEY)

916

ctx.load_cert_chain(certfile=ONLYCERT, keyfile=ONLYKEY)

917

ctx.load_cert_chain(certfile=BYTES_ONLYCERT, keyfile=BYTES_ONLYKEY)

Ezio Melotti

2010-12-01 02:32:32 +0000

[diff] [blame]

918

with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

919

ctx.load_cert_chain(ONLYCERT)

Ezio Melotti

2010-12-01 02:32:32 +0000

[diff] [blame]

920

with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

921

ctx.load_cert_chain(ONLYKEY)

Ezio Melotti

2010-12-01 02:32:32 +0000

[diff] [blame]

922

with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

923

ctx.load_cert_chain(certfile=ONLYKEY, keyfile=ONLYCERT)

924

# Mismatching key and cert

Antoine Pitrou

d091950

2010-05-17 10:30:00 +0000

[diff] [blame]

925

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

Ezio Melotti

2010-12-01 02:32:32 +0000

[diff] [blame]

926

with self.assertRaisesRegex(ssl.SSLError, "key values mismatch"):

Martin Panter

3d81d93

2016-01-14 09:36:00 +0000

[diff] [blame]

927

ctx.load_cert_chain(CAFILE_CACERT, ONLYKEY)

Antoine Pitrou

4fd1e6a

2011-08-25 14:39:44 +0200

[diff] [blame]

928

# Password protected key and cert

929

ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD)

930

ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD.encode())

931

ctx.load_cert_chain(CERTFILE_PROTECTED,

932

password=bytearray(KEY_PASSWORD.encode()))

933

ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED, KEY_PASSWORD)

934

ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED, KEY_PASSWORD.encode())

935

ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED,

936

bytearray(KEY_PASSWORD.encode()))

937

with self.assertRaisesRegex(TypeError, "should be a string"):

938

ctx.load_cert_chain(CERTFILE_PROTECTED, password=True)

939

with self.assertRaises(ssl.SSLError):

940

ctx.load_cert_chain(CERTFILE_PROTECTED, password="badpass")

941

with self.assertRaisesRegex(ValueError, "cannot be longer"):

942

# openssl has a fixed limit on the password buffer.

943

# PEM_BUFSIZE is generally set to 1kb.

944

# Return a string larger than this.

945

ctx.load_cert_chain(CERTFILE_PROTECTED, password=b'a' * 102400)

946

# Password callback

947

def getpass_unicode():

948

return KEY_PASSWORD

949

def getpass_bytes():

950

return KEY_PASSWORD.encode()

951

def getpass_bytearray():

952

return bytearray(KEY_PASSWORD.encode())

953

def getpass_badpass():

954

return "badpass"

955

def getpass_huge():

956

return b'a' * (1024 * 1024)

957

def getpass_bad_type():

958

return 9

959

def getpass_exception():

960

raise Exception('getpass error')

961

class GetPassCallable:

def __call__(self):

return KEY_PASSWORD

def getpass(self):

return KEY_PASSWORD

ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_unicode)

967

ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bytes)

968

ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bytearray)

969

ctx.load_cert_chain(CERTFILE_PROTECTED, password=GetPassCallable())

970

ctx.load_cert_chain(CERTFILE_PROTECTED,

971

password=GetPassCallable().getpass)

972

with self.assertRaises(ssl.SSLError):

973

ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_badpass)

974

with self.assertRaisesRegex(ValueError, "cannot be longer"):

975

ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_huge)

976

with self.assertRaisesRegex(TypeError, "must return a string"):

977

ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bad_type)

978

with self.assertRaisesRegex(Exception, "getpass error"):

979

ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_exception)

980

# Make sure the password function isn't called if it isn't needed

981

ctx.load_cert_chain(CERTFILE, password=getpass_exception)

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

982

983

def test_load_verify_locations(self):

984

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

985

ctx.load_verify_locations(CERTFILE)

986

ctx.load_verify_locations(cafile=CERTFILE, capath=None)

987

ctx.load_verify_locations(BYTES_CERTFILE)

988

ctx.load_verify_locations(cafile=BYTES_CERTFILE, capath=None)

989

self.assertRaises(TypeError, ctx.load_verify_locations)

Christian Heimes

2013-11-21 03:35:02 +0100

[diff] [blame]

990

self.assertRaises(TypeError, ctx.load_verify_locations, None, None, None)

Andrew Svetlov

2012-12-25 16:47:37 +0200

[diff] [blame]

991

with self.assertRaises(OSError) as cm:

Martin Panter

2016-01-30 03:41:43 +0000

[diff] [blame]

992

ctx.load_verify_locations(NONEXISTINGCERT)

Giampaolo Rodolà

2010-08-29 22:50:39 +0000

[diff] [blame]

993

self.assertEqual(cm.exception.errno, errno.ENOENT)

Ezio Melotti

2010-12-01 02:32:32 +0000

[diff] [blame]

994

with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

995

ctx.load_verify_locations(BADCERT)

996

ctx.load_verify_locations(CERTFILE, CAPATH)

997

ctx.load_verify_locations(CERTFILE, capath=BYTES_CAPATH)

998

Victor Stinner

80f75e6

2011-01-29 11:31:20 +0000

[diff] [blame]

999

# Issue #10989: crash if the second argument type is invalid

1000

self.assertRaises(TypeError, ctx.load_verify_locations, None, True)

1001

Christian Heimes

2013-11-21 03:35:02 +0100

[diff] [blame]

1002

def test_load_verify_cadata(self):

1003

# test cadata

1004

with open(CAFILE_CACERT) as f:

1005

cacert_pem = f.read()

1006

cacert_der = ssl.PEM_cert_to_DER_cert(cacert_pem)

1007

with open(CAFILE_NEURONIO) as f:

1008

neuronio_pem = f.read()

1009

neuronio_der = ssl.PEM_cert_to_DER_cert(neuronio_pem)

1010

1011

# test PEM

1012

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

1013

self.assertEqual(ctx.cert_store_stats()["x509_ca"], 0)

1014

ctx.load_verify_locations(cadata=cacert_pem)

1015

self.assertEqual(ctx.cert_store_stats()["x509_ca"], 1)

1016

ctx.load_verify_locations(cadata=neuronio_pem)

1017

self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)

1018

# cert already in hash table

1019

ctx.load_verify_locations(cadata=neuronio_pem)

1020

self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)

1021

1022

# combined

1023

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

1024

combined = "\n".join((cacert_pem, neuronio_pem))

1025

ctx.load_verify_locations(cadata=combined)

1026

self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)

1027

1028

# with junk around the certs

1029

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

1030

combined = ["head", cacert_pem, "other", neuronio_pem, "again",

1031

neuronio_pem, "tail"]

1032

ctx.load_verify_locations(cadata="\n".join(combined))

1033

self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)

1034

1035

# test DER

1036

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

1037

ctx.load_verify_locations(cadata=cacert_der)

1038

ctx.load_verify_locations(cadata=neuronio_der)

1039

self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)

1040

# cert already in hash table

1041

ctx.load_verify_locations(cadata=cacert_der)

1042

self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)

1043

1044

# combined

1045

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

1046

combined = b"".join((cacert_der, neuronio_der))

1047

ctx.load_verify_locations(cadata=combined)

1048

self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)

1049

1050

# error cases

1051

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

1052

self.assertRaises(TypeError, ctx.load_verify_locations, cadata=object)

1053

1054

with self.assertRaisesRegex(ssl.SSLError, "no start line"):

1055

ctx.load_verify_locations(cadata="broken")

1056

with self.assertRaisesRegex(ssl.SSLError, "not enough data"):

1057

ctx.load_verify_locations(cadata=b"broken")

1058

1059

Antoine Pitrou

2011-12-22 10:03:38 +0100

[diff] [blame]

1060

def test_load_dh_params(self):

1061

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

1062

ctx.load_dh_params(DHFILE)

1063

if os.name != 'nt':

1064

ctx.load_dh_params(BYTES_DHFILE)

1065

self.assertRaises(TypeError, ctx.load_dh_params)

1066

self.assertRaises(TypeError, ctx.load_dh_params, None)

1067

with self.assertRaises(FileNotFoundError) as cm:

Martin Panter

2016-01-30 03:41:43 +0000

[diff] [blame]

1068

ctx.load_dh_params(NONEXISTINGCERT)

Antoine Pitrou

2011-12-22 10:03:38 +0100

[diff] [blame]

1069

self.assertEqual(cm.exception.errno, errno.ENOENT)

Antoine Pitrou

3b36fb1

2012-06-22 21:11:52 +0200

[diff] [blame]

1070

with self.assertRaises(ssl.SSLError) as cm:

Antoine Pitrou

2011-12-22 10:03:38 +0100

[diff] [blame]

1071

ctx.load_dh_params(CERTFILE)

1072

Antoine Pitrou

eb585ad

2010-10-22 18:24:20 +0000

[diff] [blame]

1073

@skip_if_broken_ubuntu_ssl

Antoine Pitrou

b0182c8

2010-10-12 20:09:02 +0000

[diff] [blame]

1074

def test_session_stats(self):

1075

for proto in PROTOCOLS:

1076

ctx = ssl.SSLContext(proto)

1077

self.assertEqual(ctx.session_stats(), {

'number': 0,

'connect': 0,

'connect_good': 0,

'connect_renegotiate': 0,

1082

'accept': 0,

1083

'accept_good': 0,

1084

'accept_renegotiate': 0,

'hits': 0,

'misses': 0,

'timeouts': 0,

'cache_full': 0,

})

Antoine Pitrou

2010-11-17 20:29:42 +0000

[diff] [blame]

1091

def test_set_default_verify_paths(self):

1092

# There's not much we can do to test that it acts as expected,

1093

# so just check it doesn't crash or raise an exception.

1094

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

1095

ctx.set_default_verify_paths()

1096

Antoine Pitrou

501da61

2011-12-21 09:27:41 +0100

[diff] [blame]

1097

@unittest.skipUnless(ssl.HAS_ECDH, "ECDH disabled on this OpenSSL build")

Antoine Pitrou

923df6f

2011-12-19 17:16:51 +0100

[diff] [blame]

1098

def test_set_ecdh_curve(self):

1099

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

1100

ctx.set_ecdh_curve("prime256v1")

1101

ctx.set_ecdh_curve(b"prime256v1")

1102

self.assertRaises(TypeError, ctx.set_ecdh_curve)

1103

self.assertRaises(TypeError, ctx.set_ecdh_curve, None)

1104

self.assertRaises(ValueError, ctx.set_ecdh_curve, "foo")

1105

self.assertRaises(ValueError, ctx.set_ecdh_curve, b"foo")

1106

Antoine Pitrou

2013-01-05 21:20:29 +0100

[diff] [blame]

1107

@needs_sni

1108

def test_sni_callback(self):

1109

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

1110

1111

# set_servername_callback expects a callable, or None

1112

self.assertRaises(TypeError, ctx.set_servername_callback)

1113

self.assertRaises(TypeError, ctx.set_servername_callback, 4)

1114

self.assertRaises(TypeError, ctx.set_servername_callback, "")

1115

self.assertRaises(TypeError, ctx.set_servername_callback, ctx)

1116

1117

def dummycallback(sock, servername, ctx):

1118

pass

1119

ctx.set_servername_callback(None)

1120

ctx.set_servername_callback(dummycallback)

1121

1122

@needs_sni

1123

def test_sni_callback_refcycle(self):

1124

# Reference cycles through the servername callback are detected

1125

# and cleared.

1126

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

1127

def dummycallback(sock, servername, ctx, cycle=ctx):

1128

pass

1129

ctx.set_servername_callback(dummycallback)

1130

wr = weakref.ref(ctx)

1131

del ctx, dummycallback

1132

gc.collect()

1133

self.assertIs(wr(), None)

1134

Christian Heimes

2013-06-17 15:44:12 +0200

[diff] [blame]

1135

def test_cert_store_stats(self):

1136

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

1137

self.assertEqual(ctx.cert_store_stats(),

1138

{'x509_ca': 0, 'crl': 0, 'x509': 0})

1139

ctx.load_cert_chain(CERTFILE)

1140

self.assertEqual(ctx.cert_store_stats(),

1141

{'x509_ca': 0, 'crl': 0, 'x509': 0})

1142

ctx.load_verify_locations(CERTFILE)

1143

self.assertEqual(ctx.cert_store_stats(),

1144

{'x509_ca': 0, 'crl': 0, 'x509': 1})

Martin Panter

b55f8b7

2016-01-14 12:53:56 +0000

[diff] [blame]

1145

ctx.load_verify_locations(CAFILE_CACERT)

Christian Heimes

2013-06-17 15:44:12 +0200

[diff] [blame]

1146

self.assertEqual(ctx.cert_store_stats(),

1147

{'x509_ca': 1, 'crl': 0, 'x509': 2})

1148

1149

def test_get_ca_certs(self):

1150

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

1151

self.assertEqual(ctx.get_ca_certs(), [])

1152

# CERTFILE is not flagged as X509v3 Basic Constraints: CA:TRUE

1153

ctx.load_verify_locations(CERTFILE)

1154

self.assertEqual(ctx.get_ca_certs(), [])

Martin Panter

b55f8b7

2016-01-14 12:53:56 +0000

[diff] [blame]

1155

# but CAFILE_CACERT is a CA cert

1156

ctx.load_verify_locations(CAFILE_CACERT)

Christian Heimes

2013-06-17 15:44:12 +0200

[diff] [blame]

1157

self.assertEqual(ctx.get_ca_certs(),

1158

[{'issuer': ((('organizationName', 'Root CA'),),

1159

(('organizationalUnitName', 'http://www.cacert.org'),),

1160

(('commonName', 'CA Cert Signing Authority'),),

1161

(('emailAddress', 'support@cacert.org'),)),

1162

'notAfter': asn1time('Mar 29 12:29:49 2033 GMT'),

1163

'notBefore': asn1time('Mar 30 12:29:49 2003 GMT'),

1164

'serialNumber': '00',

Christian Heimes

bd3a7f9

2013-11-21 03:40:15 +0100

[diff] [blame]

1165

'crlDistributionPoints': ('https://www.cacert.org/revoke.crl',),

Christian Heimes

2013-06-17 15:44:12 +0200

[diff] [blame]

1166

'subject': ((('organizationName', 'Root CA'),),

1167

(('organizationalUnitName', 'http://www.cacert.org'),),

1168

(('commonName', 'CA Cert Signing Authority'),),

1169

(('emailAddress', 'support@cacert.org'),)),

1170

'version': 3}])

1171

Martin Panter

b55f8b7

2016-01-14 12:53:56 +0000

[diff] [blame]

1172

with open(CAFILE_CACERT) as f:

Christian Heimes

2013-06-17 15:44:12 +0200

[diff] [blame]

1173

pem = f.read()

1174

der = ssl.PEM_cert_to_DER_cert(pem)

1175

self.assertEqual(ctx.get_ca_certs(True), [der])

1176

Christian Heimes

72d2850

2013-11-23 13:56:58 +0100

[diff] [blame]

1177

def test_load_default_certs(self):

1178

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

1179

ctx.load_default_certs()

1180

1181

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

1182

ctx.load_default_certs(ssl.Purpose.SERVER_AUTH)

1183

ctx.load_default_certs()

1184

1185

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

1186

ctx.load_default_certs(ssl.Purpose.CLIENT_AUTH)

1187

1188

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

1189

self.assertRaises(TypeError, ctx.load_default_certs, None)

1190

self.assertRaises(TypeError, ctx.load_default_certs, 'SERVER_AUTH')

1191

Benjamin Peterson

91244e0

2014-10-03 18:17:15 -0400

[diff] [blame]

1192

@unittest.skipIf(sys.platform == "win32", "not-Windows specific")

Christian Heimes

2016-09-05 23:19:05 +0200

[diff] [blame]

1193

@unittest.skipIf(IS_LIBRESSL, "LibreSSL doesn't support env vars")

Benjamin Peterson

5915b0f

2014-10-03 17:27:05 -0400

[diff] [blame]

1194

def test_load_default_certs_env(self):

1195

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

1196

with support.EnvironmentVarGuard() as env:

1197

env["SSL_CERT_DIR"] = CAPATH

1198

env["SSL_CERT_FILE"] = CERTFILE

1199

ctx.load_default_certs()

1200

self.assertEqual(ctx.cert_store_stats(), {"crl": 0, "x509": 1, "x509_ca": 0})

1201

Benjamin Peterson

91244e0

2014-10-03 18:17:15 -0400

[diff] [blame]

1202

@unittest.skipUnless(sys.platform == "win32", "Windows specific")

1203

def test_load_default_certs_env_windows(self):

1204

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

1205

ctx.load_default_certs()

1206

stats = ctx.cert_store_stats()

1207

1208

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

1209

with support.EnvironmentVarGuard() as env:

1210

env["SSL_CERT_DIR"] = CAPATH

1211

env["SSL_CERT_FILE"] = CERTFILE

1212

ctx.load_default_certs()

1213

stats["x509"] += 1

1214

self.assertEqual(ctx.cert_store_stats(), stats)

1215

Christian Heimes

2013-11-23 15:58:30 +0100

[diff] [blame]

1216

def test_create_default_context(self):

1217

ctx = ssl.create_default_context()

Donald Stufft

2014-03-23 19:05:28 -0400

[diff] [blame]

1218

self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)

Christian Heimes

2013-11-23 15:58:30 +0100

[diff] [blame]

1219

self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)

Christian Heimes

2013-12-02 02:41:19 +0100

[diff] [blame]

1220

self.assertTrue(ctx.check_hostname)

Christian Heimes

2013-11-23 15:58:30 +0100

[diff] [blame]

1221

self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)

Donald Stufft

2014-03-23 19:05:28 -0400

[diff] [blame]

1222

self.assertEqual(

1223

ctx.options & getattr(ssl, "OP_NO_COMPRESSION", 0),

1224

getattr(ssl, "OP_NO_COMPRESSION", 0),

1225

)

Christian Heimes

2013-11-23 15:58:30 +0100

[diff] [blame]

1226

1227

with open(SIGNING_CA) as f:

1228

cadata = f.read()

1229

ctx = ssl.create_default_context(cafile=SIGNING_CA, capath=CAPATH,

1230

cadata=cadata)

Donald Stufft

2014-03-23 19:05:28 -0400

[diff] [blame]

1231

self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)

Christian Heimes

2013-11-23 15:58:30 +0100

[diff] [blame]

1232

self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)

1233

self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)

Donald Stufft

2014-03-23 19:05:28 -0400

[diff] [blame]

1234

self.assertEqual(

1235

ctx.options & getattr(ssl, "OP_NO_COMPRESSION", 0),

1236

getattr(ssl, "OP_NO_COMPRESSION", 0),

1237

)

Christian Heimes

2013-11-23 15:58:30 +0100

[diff] [blame]

1238

1239

ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)

Donald Stufft

2014-03-23 19:05:28 -0400

[diff] [blame]

1240

self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)

Christian Heimes

2013-11-23 15:58:30 +0100

[diff] [blame]

1241

self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)

1242

self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)

Donald Stufft

2014-03-23 19:05:28 -0400

[diff] [blame]

1243

self.assertEqual(

1244

ctx.options & getattr(ssl, "OP_NO_COMPRESSION", 0),

1245

getattr(ssl, "OP_NO_COMPRESSION", 0),

1246

)

1247

self.assertEqual(

1248

ctx.options & getattr(ssl, "OP_SINGLE_DH_USE", 0),

1249

getattr(ssl, "OP_SINGLE_DH_USE", 0),

1250

)

1251

self.assertEqual(

1252

ctx.options & getattr(ssl, "OP_SINGLE_ECDH_USE", 0),

1253

getattr(ssl, "OP_SINGLE_ECDH_USE", 0),

1254

)

Christian Heimes

2013-11-23 15:58:30 +0100

[diff] [blame]

1255

Christian Heimes

2013-11-23 22:43:47 +0100

[diff] [blame]

1256

def test__create_stdlib_context(self):

1257

ctx = ssl._create_stdlib_context()

1258

self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)

1259

self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)

Christian Heimes

2013-12-02 02:41:19 +0100

[diff] [blame]

1260

self.assertFalse(ctx.check_hostname)

Christian Heimes

2013-11-23 22:43:47 +0100

[diff] [blame]

1261

self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)

1262

1263

ctx = ssl._create_stdlib_context(ssl.PROTOCOL_TLSv1)

1264

self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)

1265

self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)

1266

self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)

1267

1268

ctx = ssl._create_stdlib_context(ssl.PROTOCOL_TLSv1,

Christian Heimes

a02c69a

2013-12-02 20:59:28 +0100

[diff] [blame]

1269

cert_reqs=ssl.CERT_REQUIRED,

1270

check_hostname=True)

Christian Heimes

2013-11-23 22:43:47 +0100

[diff] [blame]

1271

self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)

1272

self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)

Christian Heimes

a02c69a

2013-12-02 20:59:28 +0100

[diff] [blame]

1273

self.assertTrue(ctx.check_hostname)

Christian Heimes

2013-11-23 22:43:47 +0100

[diff] [blame]

1274

self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)

1275

1276

ctx = ssl._create_stdlib_context(purpose=ssl.Purpose.CLIENT_AUTH)

1277

self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)

1278

self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)

1279

self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)

Christian Heimes

2013-11-23 15:58:30 +0100

[diff] [blame]

1280

Christian Heimes

2013-12-02 02:41:19 +0100

[diff] [blame]

1281

def test_check_hostname(self):

1282

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

1283

self.assertFalse(ctx.check_hostname)

1284

1285

# Requires CERT_REQUIRED or CERT_OPTIONAL

1286

with self.assertRaises(ValueError):

1287

ctx.check_hostname = True

1288

ctx.verify_mode = ssl.CERT_REQUIRED

1289

self.assertFalse(ctx.check_hostname)

1290

ctx.check_hostname = True

1291

self.assertTrue(ctx.check_hostname)

1292

1293

ctx.verify_mode = ssl.CERT_OPTIONAL

1294

ctx.check_hostname = True

1295

self.assertTrue(ctx.check_hostname)

1296

1297

# Cannot set CERT_NONE with check_hostname enabled

1298

with self.assertRaises(ValueError):

1299

ctx.verify_mode = ssl.CERT_NONE

1300

ctx.check_hostname = False

1301

self.assertFalse(ctx.check_hostname)

1302

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

1303

Antoine Pitrou

3b36fb1

2012-06-22 21:11:52 +0200

[diff] [blame]

1304

class SSLErrorTests(unittest.TestCase):

1305

1306

def test_str(self):

1307

# The str() of a SSLError doesn't include the errno

1308

e = ssl.SSLError(1, "foo")

1309

self.assertEqual(str(e), "foo")

1310

self.assertEqual(e.errno, 1)

1311

# Same for a subclass

1312

e = ssl.SSLZeroReturnError(1, "foo")

1313

self.assertEqual(str(e), "foo")

1314

self.assertEqual(e.errno, 1)

1315

1316

def test_lib_reason(self):

1317

# Test the library and reason attributes

1318

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

1319

with self.assertRaises(ssl.SSLError) as cm:

1320

ctx.load_dh_params(CERTFILE)

1321

self.assertEqual(cm.exception.library, 'PEM')

1322

self.assertEqual(cm.exception.reason, 'NO_START_LINE')

1323

s = str(cm.exception)

1324

self.assertTrue(s.startswith("[PEM: NO_START_LINE] no start line"), s)

1325

1326

def test_subclass(self):

1327

# Check that the appropriate SSLError subclass is raised

1328

# (this only tests one of them)

1329

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

1330

with socket.socket() as s:

1331

s.bind(("127.0.0.1", 0))

Charles-François Natali

2014-07-23 19:28:13 +0100

[diff] [blame]

1332

s.listen()

Antoine Pitrou

2013-01-12 21:54:44 +0100

[diff] [blame]

1333

c = socket.socket()

1334

c.connect(s.getsockname())

1335

c.setblocking(False)

1336

with ctx.wrap_socket(c, False, do_handshake_on_connect=False) as c:

Antoine Pitrou

3b36fb1

2012-06-22 21:11:52 +0200

[diff] [blame]

1337

with self.assertRaises(ssl.SSLWantReadError) as cm:

1338

c.do_handshake()

1339

s = str(cm.exception)

1340

self.assertTrue(s.startswith("The operation did not complete (read)"), s)

1341

# For compatibility

1342

self.assertEqual(cm.exception.errno, ssl.SSL_ERROR_WANT_READ)

1343

1344

Antoine Pitrou

2014-10-05 20:41:53 +0200

[diff] [blame]

1345

class MemoryBIOTests(unittest.TestCase):

1346

1347

def test_read_write(self):

1348

bio = ssl.MemoryBIO()

1349

bio.write(b'foo')

1350

self.assertEqual(bio.read(), b'foo')

1351

self.assertEqual(bio.read(), b'')

1352

bio.write(b'foo')

1353

bio.write(b'bar')

1354

self.assertEqual(bio.read(), b'foobar')

1355

self.assertEqual(bio.read(), b'')

1356

bio.write(b'baz')

1357

self.assertEqual(bio.read(2), b'ba')

1358

self.assertEqual(bio.read(1), b'z')

1359

self.assertEqual(bio.read(1), b'')

1360

1361

def test_eof(self):

1362

bio = ssl.MemoryBIO()

1363

self.assertFalse(bio.eof)

1364

self.assertEqual(bio.read(), b'')

1365

self.assertFalse(bio.eof)

1366

bio.write(b'foo')

1367

self.assertFalse(bio.eof)

1368

bio.write_eof()

1369

self.assertFalse(bio.eof)

1370

self.assertEqual(bio.read(2), b'fo')

1371

self.assertFalse(bio.eof)

1372

self.assertEqual(bio.read(1), b'o')

1373

self.assertTrue(bio.eof)

1374

self.assertEqual(bio.read(), b'')

1375

self.assertTrue(bio.eof)

1376

1377

def test_pending(self):

1378

bio = ssl.MemoryBIO()

1379

self.assertEqual(bio.pending, 0)

1380

bio.write(b'foo')

1381

self.assertEqual(bio.pending, 3)

1382

for i in range(3):

1383

bio.read(1)

1384

self.assertEqual(bio.pending, 3-i-1)

1385

for i in range(3):

1386

bio.write(b'x')

1387

self.assertEqual(bio.pending, i+1)

1388

bio.read()

1389

self.assertEqual(bio.pending, 0)

1390

1391

def test_buffer_types(self):

1392

bio = ssl.MemoryBIO()

1393

bio.write(b'foo')

1394

self.assertEqual(bio.read(), b'foo')

1395

bio.write(bytearray(b'bar'))

1396

self.assertEqual(bio.read(), b'bar')

1397

bio.write(memoryview(b'baz'))

1398

self.assertEqual(bio.read(), b'baz')

1399

1400

def test_error_types(self):

1401

bio = ssl.MemoryBIO()

1402

self.assertRaises(TypeError, bio.write, 'foo')

1403

self.assertRaises(TypeError, bio.write, None)

1404

self.assertRaises(TypeError, bio.write, True)

1405

self.assertRaises(TypeError, bio.write, 1)

1406

1407

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1408

@unittest.skipUnless(_have_threads, "Needs threading module")

1409

class SimpleBackgroundTests(unittest.TestCase):

1410

1411

"""Tests that connect to a simple server running in the background"""

1412

1413

def setUp(self):

1414

server = ThreadedEchoServer(SIGNED_CERTFILE)

1415

self.server_addr = (HOST, server.port)

1416

server.__enter__()

1417

self.addCleanup(server.__exit__, None, None, None)

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1418

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

1419

def test_connect(self):

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1420

with ssl.wrap_socket(socket.socket(socket.AF_INET),

1421

cert_reqs=ssl.CERT_NONE) as s:

1422

s.connect(self.server_addr)

1423

self.assertEqual({}, s.getpeercert())

Antoine Pitrou

350c722

2010-09-09 13:31:46 +0000

[diff] [blame]

1424

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1425

# this should succeed because we specify the root cert

1426

with ssl.wrap_socket(socket.socket(socket.AF_INET),

1427

cert_reqs=ssl.CERT_REQUIRED,

1428

ca_certs=SIGNING_CA) as s:

1429

s.connect(self.server_addr)

1430

self.assertTrue(s.getpeercert())

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1431

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1432

def test_connect_fail(self):

1433

# This should fail because we have no verification certs. Connection

1434

# failure crashes ThreadedEchoServer, so run this in an independent

1435

# test method.

1436

s = ssl.wrap_socket(socket.socket(socket.AF_INET),

1437

cert_reqs=ssl.CERT_REQUIRED)

1438

self.addCleanup(s.close)

1439

self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",

1440

s.connect, self.server_addr)

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

1441

Antoine Pitrou

2011-02-26 23:24:06 +0000

[diff] [blame]

1442

def test_connect_ex(self):

1443

# Issue #11326: check connect_ex() implementation

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1444

s = ssl.wrap_socket(socket.socket(socket.AF_INET),

1445

cert_reqs=ssl.CERT_REQUIRED,

1446

ca_certs=SIGNING_CA)

1447

self.addCleanup(s.close)

1448

self.assertEqual(0, s.connect_ex(self.server_addr))

1449

self.assertTrue(s.getpeercert())

Antoine Pitrou

2011-02-26 23:24:06 +0000

[diff] [blame]

1450

1451

def test_non_blocking_connect_ex(self):

1452

# Issue #11326: non-blocking connect_ex() should allow handshake

1453

# to proceed after the socket gets ready.

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1454

s = ssl.wrap_socket(socket.socket(socket.AF_INET),

1455

cert_reqs=ssl.CERT_REQUIRED,

1456

ca_certs=SIGNING_CA,

1457

do_handshake_on_connect=False)

1458

self.addCleanup(s.close)

1459

s.setblocking(False)

1460

rc = s.connect_ex(self.server_addr)

1461

# EWOULDBLOCK under Windows, EINPROGRESS elsewhere

1462

self.assertIn(rc, (0, errno.EINPROGRESS, errno.EWOULDBLOCK))

1463

# Wait for connect to finish

1464

select.select([], [s], [], 5.0)

1465

# Non-blocking handshake

1466

while True:

Antoine Pitrou

2011-02-26 23:24:06 +0000

[diff] [blame]

1467

try:

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1468

s.do_handshake()

1469

break

1470

except ssl.SSLWantReadError:

1471

select.select([s], [], [], 5.0)

1472

except ssl.SSLWantWriteError:

Antoine Pitrou

2011-02-26 23:24:06 +0000

[diff] [blame]

1473

select.select([], [s], [], 5.0)

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1474

# SSL established

1475

self.assertTrue(s.getpeercert())

Antoine Pitrou

40f12ab

2012-12-28 19:03:43 +0100

[diff] [blame]

1476

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

1477

def test_connect_with_context(self):

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1478

# Same as test_connect, but with a separately created context

1479

ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

1480

with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s:

1481

s.connect(self.server_addr)

1482

self.assertEqual({}, s.getpeercert())

1483

# Same with a server hostname

1484

with ctx.wrap_socket(socket.socket(socket.AF_INET),

1485

server_hostname="dummy") as s:

1486

s.connect(self.server_addr)

1487

ctx.verify_mode = ssl.CERT_REQUIRED

1488

# This should succeed because we specify the root cert

1489

ctx.load_verify_locations(SIGNING_CA)

1490

with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s:

1491

s.connect(self.server_addr)

1492

cert = s.getpeercert()

1493

self.assertTrue(cert)

1494

1495

def test_connect_with_context_fail(self):

1496

# This should fail because we have no verification certs. Connection

1497

# failure crashes ThreadedEchoServer, so run this in an independent

1498

# test method.

1499

ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

1500

ctx.verify_mode = ssl.CERT_REQUIRED

1501

s = ctx.wrap_socket(socket.socket(socket.AF_INET))

1502

self.addCleanup(s.close)

1503

self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",

1504

s.connect, self.server_addr)

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

1505

1506

def test_connect_capath(self):

1507

# Verify server certificates using the `capath` argument

Antoine Pitrou

467f28d

2010-05-16 19:22:44 +0000

[diff] [blame]

1508

# NOTE: the subject hashing algorithm has been changed between

1509

# OpenSSL 0.9.8n and 1.0.0, as a result the capath directory must

1510

# contain both versions of each certificate (same content, different

Antoine Pitrou

d7e4c1c

2010-05-17 14:13:10 +0000

[diff] [blame]

1511

# filename) for this test to be portable across OpenSSL releases.

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1512

ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

1513

ctx.verify_mode = ssl.CERT_REQUIRED

1514

ctx.load_verify_locations(capath=CAPATH)

1515

with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s:

1516

s.connect(self.server_addr)

1517

cert = s.getpeercert()

1518

self.assertTrue(cert)

1519

# Same with a bytes `capath` argument

1520

ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

1521

ctx.verify_mode = ssl.CERT_REQUIRED

1522

ctx.load_verify_locations(capath=BYTES_CAPATH)

1523

with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s:

1524

s.connect(self.server_addr)

1525

cert = s.getpeercert()

1526

self.assertTrue(cert)

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1527

Christian Heimes

2013-11-21 03:35:02 +0100

[diff] [blame]

1528

def test_connect_cadata(self):

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1529

with open(SIGNING_CA) as f:

Christian Heimes

2013-11-21 03:35:02 +0100

[diff] [blame]

1530

pem = f.read()

1531

der = ssl.PEM_cert_to_DER_cert(pem)

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1532

ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

1533

ctx.verify_mode = ssl.CERT_REQUIRED

1534

ctx.load_verify_locations(cadata=pem)

1535

with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s:

1536

s.connect(self.server_addr)

1537

cert = s.getpeercert()

1538

self.assertTrue(cert)

Christian Heimes

2013-11-21 03:35:02 +0100

[diff] [blame]

1539

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1540

# same with DER

1541

ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

1542

ctx.verify_mode = ssl.CERT_REQUIRED

1543

ctx.load_verify_locations(cadata=der)

1544

with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s:

1545

s.connect(self.server_addr)

1546

cert = s.getpeercert()

1547

self.assertTrue(cert)

Christian Heimes

2013-11-21 03:35:02 +0100

[diff] [blame]

1548

Antoine Pitrou

e322024

2010-04-24 11:13:53 +0000

[diff] [blame]

1549

@unittest.skipIf(os.name == "nt", "Can't use a socket as a file under Windows")

1550

def test_makefile_close(self):

1551

# Issue #5238: creating a file-like object with makefile() shouldn't

1552

# delay closing the underlying "real socket" (here tested with its

1553

# file descriptor, hence skipping the test under Windows).

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1554

ss = ssl.wrap_socket(socket.socket(socket.AF_INET))

1555

ss.connect(self.server_addr)

fd = ss.fileno()

f = ss.makefile()

f.close()

# The fd is still open

1560

os.read(fd, 0)

1561

# Closing the SSL socket should close the fd too

1562

ss.close()

1563

gc.collect()

1564

with self.assertRaises(OSError) as e:

Antoine Pitrou

e322024

2010-04-24 11:13:53 +0000

[diff] [blame]

1565

os.read(fd, 0)

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1566

self.assertEqual(e.exception.errno, errno.EBADF)

Antoine Pitrou

e322024

2010-04-24 11:13:53 +0000

[diff] [blame]

1567

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

1568

def test_non_blocking_handshake(self):

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1569

s = socket.socket(socket.AF_INET)

1570

s.connect(self.server_addr)

1571

s.setblocking(False)

1572

s = ssl.wrap_socket(s,

1573

cert_reqs=ssl.CERT_NONE,

1574

do_handshake_on_connect=False)

1575

self.addCleanup(s.close)

count = 0

while True:

try:

count += 1

s.do_handshake()

break

except ssl.SSLWantReadError:

1583

select.select([s], [], [])

1584

except ssl.SSLWantWriteError:

1585

select.select([], [s], [])

1586

if support.verbose:

1587

sys.stdout.write("\nNeeded %d calls to do_handshake() to establish session.\n" % count)

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1588

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

1589

def test_get_server_certificate(self):

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1590

_test_get_server_certificate(self, *self.server_addr, cert=SIGNING_CA)

Antoine Pitrou

5aefa66

2011-04-28 19:24:46 +0200

[diff] [blame]

1591

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1592

def test_get_server_certificate_fail(self):

1593

# Connection failure crashes ThreadedEchoServer, so run this in an

1594

# independent test method

1595

_test_get_server_certificate_fail(self, *self.server_addr)

Bill Janssen

2007-12-14 22:08:56 +0000

[diff] [blame]

1596

Antoine Pitrou

f4c7bad

2010-08-15 23:02:22 +0000

[diff] [blame]

1597

def test_ciphers(self):

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1598

with ssl.wrap_socket(socket.socket(socket.AF_INET),

1599

cert_reqs=ssl.CERT_NONE, ciphers="ALL") as s:

1600

s.connect(self.server_addr)

1601

with ssl.wrap_socket(socket.socket(socket.AF_INET),

1602

cert_reqs=ssl.CERT_NONE, ciphers="DEFAULT") as s:

1603

s.connect(self.server_addr)

1604

# Error checking can happen at instantiation or when connecting

1605

with self.assertRaisesRegex(ssl.SSLError, "No cipher can be selected"):

1606

with socket.socket(socket.AF_INET) as sock:

1607

s = ssl.wrap_socket(sock,

1608

cert_reqs=ssl.CERT_NONE, ciphers="^$:,;?*'dorothyx")

1609

s.connect(self.server_addr)

Antoine Pitrou

fec12ff

2010-04-21 19:46:23 +0000

[diff] [blame]

1610

Christian Heimes

2013-06-17 15:44:12 +0200

[diff] [blame]

1611

def test_get_ca_certs_capath(self):

1612

# capath certs are loaded on request

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1613

ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

1614

ctx.verify_mode = ssl.CERT_REQUIRED

1615

ctx.load_verify_locations(capath=CAPATH)

1616

self.assertEqual(ctx.get_ca_certs(), [])

1617

with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s:

1618

s.connect(self.server_addr)

1619

cert = s.getpeercert()

1620

self.assertTrue(cert)

1621

self.assertEqual(len(ctx.get_ca_certs()), 1)

Christian Heimes

2013-06-17 15:44:12 +0200

[diff] [blame]

1622

Christian Heimes

575596e

2013-12-15 21:49:17 +0100

[diff] [blame]

1623

@needs_sni

Christian Heimes

8e7f394

2013-12-05 07:41:08 +0100

[diff] [blame]

1624

def test_context_setget(self):

1625

# Check that the context of a connected socket can be replaced.

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1626

ctx1 = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

1627

ctx2 = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

1628

s = socket.socket(socket.AF_INET)

1629

with ctx1.wrap_socket(s) as ss:

1630

ss.connect(self.server_addr)

1631

self.assertIs(ss.context, ctx1)

1632

self.assertIs(ss._sslobj.context, ctx1)

1633

ss.context = ctx2

1634

self.assertIs(ss.context, ctx2)

1635

self.assertIs(ss._sslobj.context, ctx2)

Antoine Pitrou

2014-10-05 20:41:53 +0200

[diff] [blame]

1636

1637

def ssl_io_loop(self, sock, incoming, outgoing, func, *args, **kwargs):

1638

# A simple IO loop. Call func(*args) depending on the error we get

1639

# (WANT_READ or WANT_WRITE) move data between the socket and the BIOs.

1640

timeout = kwargs.get('timeout', 10)

count = 0

while True:

errno = None

count += 1

try:

ret = func(*args)

except ssl.SSLError as e:

Antoine Pitrou

2014-10-05 20:41:53 +0200

[diff] [blame]

1648

if e.errno not in (ssl.SSL_ERROR_WANT_READ,

Martin Panter

40b97ec

2016-01-14 13:05:46 +0000

[diff] [blame]

1649

ssl.SSL_ERROR_WANT_WRITE):

Antoine Pitrou

2014-10-05 20:41:53 +0200

[diff] [blame]

1650

raise

1651

errno = e.errno

1652

# Get any data from the outgoing BIO irrespective of any error, and

1653

# send it to the socket.

1654

buf = outgoing.read()

1655

sock.sendall(buf)

1656

# If there's no error, we're done. For WANT_READ, we need to get

1657

# data from the socket and put it in the incoming BIO.

1658

if errno is None:

1659

break

1660

elif errno == ssl.SSL_ERROR_WANT_READ:

1661

buf = sock.recv(32768)

if buf:

incoming.write(buf)

else:

incoming.write_eof()

if support.verbose:

sys.stdout.write("Needed %d calls to complete %s().\n"

1668

% (count, func.__name__))

1669

return ret

1670

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1671

def test_bio_handshake(self):

1672

sock = socket.socket(socket.AF_INET)

1673

self.addCleanup(sock.close)

1674

sock.connect(self.server_addr)

1675

incoming = ssl.MemoryBIO()

1676

outgoing = ssl.MemoryBIO()

1677

ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

1678

ctx.verify_mode = ssl.CERT_REQUIRED

1679

ctx.load_verify_locations(SIGNING_CA)

1680

ctx.check_hostname = True

1681

sslobj = ctx.wrap_bio(incoming, outgoing, False, 'localhost')

1682

self.assertIs(sslobj._sslobj.owner, sslobj)

1683

self.assertIsNone(sslobj.cipher())

Christian Heimes

01113fa

2016-09-05 23:23:24 +0200

[diff] [blame]

1684

self.assertIsNotNone(sslobj.shared_ciphers())

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1685

self.assertRaises(ValueError, sslobj.getpeercert)

1686

if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:

1687

self.assertIsNone(sslobj.get_channel_binding('tls-unique'))

1688

self.ssl_io_loop(sock, incoming, outgoing, sslobj.do_handshake)

1689

self.assertTrue(sslobj.cipher())

Christian Heimes

01113fa

2016-09-05 23:23:24 +0200

[diff] [blame]

1690

self.assertIsNotNone(sslobj.shared_ciphers())

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1691

self.assertTrue(sslobj.getpeercert())

1692

if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:

1693

self.assertTrue(sslobj.get_channel_binding('tls-unique'))

1694

try:

Antoine Pitrou

2014-10-05 20:41:53 +0200

[diff] [blame]

1695

self.ssl_io_loop(sock, incoming, outgoing, sslobj.unwrap)

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1696

except ssl.SSLSyscallError:

1697

# If the server shuts down the TCP connection without sending a

1698

# secure shutdown message, this is reported as SSL_ERROR_SYSCALL

1699

pass

1700

self.assertRaises(ssl.SSLError, sslobj.write, b'foo')

1701

1702

def test_bio_read_write_data(self):

1703

sock = socket.socket(socket.AF_INET)

1704

self.addCleanup(sock.close)

1705

sock.connect(self.server_addr)

1706

incoming = ssl.MemoryBIO()

1707

outgoing = ssl.MemoryBIO()

1708

ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

1709

ctx.verify_mode = ssl.CERT_NONE

1710

sslobj = ctx.wrap_bio(incoming, outgoing, False)

1711

self.ssl_io_loop(sock, incoming, outgoing, sslobj.do_handshake)

1712

req = b'FOO\n'

1713

self.ssl_io_loop(sock, incoming, outgoing, sslobj.write, req)

1714

buf = self.ssl_io_loop(sock, incoming, outgoing, sslobj.read, 1024)

1715

self.assertEqual(buf, b'foo\n')

1716

self.ssl_io_loop(sock, incoming, outgoing, sslobj.unwrap)

Antoine Pitrou

2014-10-05 20:41:53 +0200

[diff] [blame]

1717

1718

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1719

class NetworkedTests(unittest.TestCase):

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1720

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1721

def test_timeout_connect_ex(self):

1722

# Issue #12065: on a timeout, connect_ex() should return the original

1723

# errno (mimicking the behaviour of non-SSL sockets).

1724

with support.transient_internet(REMOTE_HOST):

1725

s = ssl.wrap_socket(socket.socket(socket.AF_INET),

1726

cert_reqs=ssl.CERT_REQUIRED,

1727

do_handshake_on_connect=False)

1728

self.addCleanup(s.close)

1729

s.settimeout(0.0000001)

1730

rc = s.connect_ex((REMOTE_HOST, 443))

1731

if rc == 0:

1732

self.skipTest("REMOTE_HOST responded too quickly")

1733

self.assertIn(rc, (errno.EAGAIN, errno.EWOULDBLOCK))

1734

1735

@unittest.skipUnless(support.IPV6_ENABLED, 'Needs IPv6')

1736

def test_get_server_certificate_ipv6(self):

1737

with support.transient_internet('ipv6.google.com'):

1738

_test_get_server_certificate(self, 'ipv6.google.com', 443)

1739

_test_get_server_certificate_fail(self, 'ipv6.google.com', 443)

1740

1741

def test_algorithms(self):

1742

# Issue #8484: all algorithms should be available when verifying a

1743

# certificate.

1744

# SHA256 was added in OpenSSL 0.9.8

1745

if ssl.OPENSSL_VERSION_INFO < (0, 9, 8, 0, 15):

1746

self.skipTest("SHA256 not available on %r" % ssl.OPENSSL_VERSION)

1747

# sha256.tbs-internet.com needs SNI to use the correct certificate

1748

if not ssl.HAS_SNI:

1749

self.skipTest("SNI needed for this test")

1750

# https://sha2.hboeck.de/ was used until 2011-01-08 (no route to host)

1751

remote = ("sha256.tbs-internet.com", 443)

1752

sha256_cert = os.path.join(os.path.dirname(__file__), "sha256.pem")

1753

with support.transient_internet("sha256.tbs-internet.com"):

1754

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

1755

ctx.verify_mode = ssl.CERT_REQUIRED

1756

ctx.load_verify_locations(sha256_cert)

1757

s = ctx.wrap_socket(socket.socket(socket.AF_INET),

1758

server_hostname="sha256.tbs-internet.com")

try:

s.connect(remote)

if support.verbose:

sys.stdout.write("\nCipher with %r is %r\n" %

1763

(remote, s.cipher()))

1764

sys.stdout.write("Certificate is:\n%s\n" %

1765

pprint.pformat(s.getpeercert()))

finally:

s.close()

def _test_get_server_certificate(test, host, port, cert=None):

1771

pem = ssl.get_server_certificate((host, port))

1772

if not pem:

1773

test.fail("No server certificate on %s:%s!" % (host, port))

1774

1775

pem = ssl.get_server_certificate((host, port), ca_certs=cert)

1776

if not pem:

1777

test.fail("No server certificate on %s:%s!" % (host, port))

1778

if support.verbose:

1779

sys.stdout.write("\nVerified certificate for %s:%s is\n%s\n" % (host, port ,pem))

1780

1781

def _test_get_server_certificate_fail(test, host, port):

1782

try:

1783

pem = ssl.get_server_certificate((host, port), ca_certs=CERTFILE)

1784

except ssl.SSLError as x:

1785

#should fail

1786

if support.verbose:

1787

sys.stdout.write("%s\n" % x)

1788

else:

1789

test.fail("Got server certificate %s for %s:%s!" % (pem, host, port))

1790

1791

1792

if _have_threads:

Antoine Pitrou

2010-10-13 10:36:15 +0000

[diff] [blame]

1793

from test.ssl_servers import make_https_server

1794

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1795

class ThreadedEchoServer(threading.Thread):

1796

1797

class ConnectionHandler(threading.Thread):

1798

1799

"""A mildly complicated class, because we want it to work both

1800

with and without the SSL wrapper around the socket connection, so

1801

that we can test the STARTTLS functionality."""

1802

Bill Janssen

2007-11-15 22:23:56 +0000

[diff] [blame]

1803

def __init__(self, server, connsock, addr):

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1804

self.server = server

1805

self.running = False

1806

self.sock = connsock

Bill Janssen

2007-11-15 22:23:56 +0000

[diff] [blame]

1807

self.addr = addr

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1808

self.sock.setblocking(1)

1809

self.sslconn = None

1810

threading.Thread.__init__(self)

Benjamin Peterson

4171da5

2008-08-18 21:11:09 +0000

[diff] [blame]

1811

self.daemon = True

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1812

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

1813

def wrap_conn(self):

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1814

try:

Antoine Pitrou

2010-05-21 09:56:06 +0000

[diff] [blame]

1815

self.sslconn = self.server.context.wrap_socket(

1816

self.sock, server_side=True)

Benjamin Peterson

2015-01-23 16:35:37 -0500

[diff] [blame]

1817

self.server.selected_npn_protocols.append(self.sslconn.selected_npn_protocol())

1818

self.server.selected_alpn_protocols.append(self.sslconn.selected_alpn_protocol())

Nadeem Vawda

ad246bf

2013-03-03 22:44:22 +0100

[diff] [blame]

1819

except (ssl.SSLError, ConnectionResetError) as e:

1820

# We treat ConnectionResetError as though it were an

1821

# SSLError - OpenSSL on Ubuntu abruptly closes the

1822

# connection when asked to use an unsupported protocol.

1823

#

Antoine Pitrou

2010-04-27 10:59:39 +0000

[diff] [blame]

1824

# XXX Various errors can have happened here, for example

1825

# a mismatching protocol version, an invalid certificate,

1826

# or a low-level bug. This should be made more discriminating.

Antoine Pitrou

2012-01-03 22:46:48 +0100

[diff] [blame]

1827

self.server.conn_errors.append(e)

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1828

if self.server.chatty:

Bill Janssen

2007-11-15 22:23:56 +0000

[diff] [blame]

1829

handle_error("\n server: bad connection attempt from " + repr(self.addr) + ":\n")

Antoine Pitrou

2010-04-27 10:59:39 +0000

[diff] [blame]

1830

self.running = False

1831

self.server.stop()

Bill Janssen

2007-11-15 22:23:56 +0000

[diff] [blame]

1832

self.close()

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1833

return False

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1834

else:

Benjamin Peterson

2015-01-07 11:14:26 -0600

[diff] [blame]

1835

self.server.shared_ciphers.append(self.sslconn.shared_ciphers())

Antoine Pitrou

2010-05-21 09:56:06 +0000

[diff] [blame]

1836

if self.server.context.verify_mode == ssl.CERT_REQUIRED:

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1837

cert = self.sslconn.getpeercert()

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

1838

if support.verbose and self.server.chatty:

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1839

sys.stdout.write(" client cert is " + pprint.pformat(cert) + "\n")

1840

cert_binary = self.sslconn.getpeercert(True)

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

1841

if support.verbose and self.server.chatty:

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1842

sys.stdout.write(" cert binary is " + str(len(cert_binary)) + " bytes\n")

1843

cipher = self.sslconn.cipher()

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

1844

if support.verbose and self.server.chatty:

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1845

sys.stdout.write(" server: connection cipher is now " + str(cipher) + "\n")

Antoine Pitrou

2012-03-22 00:23:03 +0100

[diff] [blame]

1846

sys.stdout.write(" server: selected protocol is now "

1847

+ str(self.sslconn.selected_npn_protocol()) + "\n")

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

return True

def read(self):

if self.sslconn:

return self.sslconn.read()

1853

else:

1854

return self.sock.recv(1024)

1855

1856

def write(self, bytes):

1857

if self.sslconn:

1858

return self.sslconn.write(bytes)

1859

else:

1860

return self.sock.send(bytes)

def close(self):

if self.sslconn:

self.sslconn.close()

else:

self.sock.close()

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

1868

def run(self):

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1869

self.running = True

1870

if not self.server.starttls_server:

1871

if not self.wrap_conn():

return

while self.running:

try:

msg = self.read()

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

1876

stripped = msg.strip()

1877

if not stripped:

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1878

# eof, so quit this handler

1879

self.running = False

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

1880

try:

1881

self.sock = self.sslconn.unwrap()

1882

except OSError:

1883

# Many tests shut the TCP connection down

1884

# without an SSL shutdown. This causes

1885

# unwrap() to raise OSError with errno=0!

1886

pass

1887

else:

1888

self.sslconn = None

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1889

self.close()

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

1890

elif stripped == b'over':

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

1891

if support.verbose and self.server.connectionchatty:

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1892

sys.stdout.write(" server: client closed connection\n")

1893

self.close()

1894

return

Bill Janssen

2007-11-15 22:23:56 +0000

[diff] [blame]

1895

elif (self.server.starttls_server and

Antoine Pitrou

764b878

2010-04-28 22:57:15 +0000

[diff] [blame]

1896

stripped == b'STARTTLS'):

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

1897

if support.verbose and self.server.connectionchatty:

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1898

sys.stdout.write(" server: read STARTTLS from client, sending OK...\n")

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

1899

self.write(b"OK\n")

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1900

if not self.wrap_conn():

1901

return

Bill Janssen

40a0f66

2008-08-12 16:56:25 +0000

[diff] [blame]

1902

elif (self.server.starttls_server and self.sslconn

Antoine Pitrou

764b878

2010-04-28 22:57:15 +0000

[diff] [blame]

1903

and stripped == b'ENDTLS'):

Bill Janssen

40a0f66

2008-08-12 16:56:25 +0000

[diff] [blame]

1904

if support.verbose and self.server.connectionchatty:

1905

sys.stdout.write(" server: read ENDTLS from client, sending OK...\n")

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

1906

self.write(b"OK\n")

Bill Janssen

40a0f66

2008-08-12 16:56:25 +0000

[diff] [blame]

1907

self.sock = self.sslconn.unwrap()

1908

self.sslconn = None

1909

if support.verbose and self.server.connectionchatty:

1910

sys.stdout.write(" server: connection is now unencrypted...\n")

Antoine Pitrou

2011-07-21 01:11:30 +0200

[diff] [blame]

1911

elif stripped == b'CB tls-unique':

1912

if support.verbose and self.server.connectionchatty:

1913

sys.stdout.write(" server: read CB tls-unique from client, sending our CB data...\n")

1914

data = self.sslconn.get_channel_binding("tls-unique")

1915

self.write(repr(data).encode("us-ascii") + b"\n")

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1916

else:

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

1917

if (support.verbose and

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1918

self.server.connectionchatty):

1919

ctype = (self.sslconn and "encrypted") or "unencrypted"

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

1920

sys.stdout.write(" server: read %r (%s), sending back %r (%s)...\n"

1921

% (msg, ctype, msg.lower(), ctype))

1922

self.write(msg.lower())

Andrew Svetlov

2012-12-18 23:10:48 +0200

[diff] [blame]

1923

except OSError:

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1924

if self.server.chatty:

1925

handle_error("Test server failure:\n")

1926

self.close()

1927

self.running = False

1928

# normally, we'd just stop here, but for the test

1929

# harness, we want to stop the server

1930

self.server.stop()

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1931

Antoine Pitrou

2010-05-21 09:56:06 +0000

[diff] [blame]

1932

def __init__(self, certificate=None, ssl_version=None,

Antoine Pitrou

2010-04-27 10:59:39 +0000

[diff] [blame]

1933

certreqs=None, cacerts=None,

Antoine Pitrou

2d9cb9c

2010-04-17 17:40:45 +0000

[diff] [blame]

1934

chatty=True, connectionchatty=False, starttls_server=False,

Benjamin Peterson

2015-01-23 16:35:37 -0500

[diff] [blame]

1935

npn_protocols=None, alpn_protocols=None,

1936

ciphers=None, context=None):

Antoine Pitrou

2010-05-21 09:56:06 +0000

[diff] [blame]

1937

if context:

1938

self.context = context

1939

else:

1940

self.context = ssl.SSLContext(ssl_version

1941

if ssl_version is not None

1942

else ssl.PROTOCOL_TLSv1)

1943

self.context.verify_mode = (certreqs if certreqs is not None

1944

else ssl.CERT_NONE)

1945

if cacerts:

1946

self.context.load_verify_locations(cacerts)

1947

if certificate:

1948

self.context.load_cert_chain(certificate)

Antoine Pitrou

2012-03-22 00:23:03 +0100

[diff] [blame]

1949

if npn_protocols:

1950

self.context.set_npn_protocols(npn_protocols)

Benjamin Peterson

2015-01-23 16:35:37 -0500

[diff] [blame]

1951

if alpn_protocols:

1952

self.context.set_alpn_protocols(alpn_protocols)

Antoine Pitrou

2010-05-21 09:56:06 +0000

[diff] [blame]

1953

if ciphers:

1954

self.context.set_ciphers(ciphers)

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1955

self.chatty = chatty

1956

self.connectionchatty = connectionchatty

1957

self.starttls_server = starttls_server

1958

self.sock = socket.socket()

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

1959

self.port = support.bind_port(self.sock)

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1960

self.flag = None

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1961

self.active = False

Benjamin Peterson

2015-01-23 16:35:37 -0500

[diff] [blame]

1962

self.selected_npn_protocols = []

1963

self.selected_alpn_protocols = []

Benjamin Peterson

2015-01-07 11:14:26 -0600

[diff] [blame]

1964

self.shared_ciphers = []

Antoine Pitrou

2012-01-03 22:46:48 +0100

[diff] [blame]

1965

self.conn_errors = []

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1966

threading.Thread.__init__(self)

Benjamin Peterson

4171da5

2008-08-18 21:11:09 +0000

[diff] [blame]

1967

self.daemon = True

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1968

Antoine Pitrou

2011-12-21 16:52:40 +0100

[diff] [blame]

1969

def __enter__(self):

1970

self.start(threading.Event())

1971

self.flag.wait()

Antoine Pitrou

2012-01-03 22:46:48 +0100

[diff] [blame]

1972

return self

Antoine Pitrou

2011-12-21 16:52:40 +0100

[diff] [blame]

1973

1974

def __exit__(self, *args):

self.stop()

self.join()

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

1978

def start(self, flag=None):

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1979

self.flag = flag

1980

threading.Thread.start(self)

1981

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

1982

def run(self):

Antoine Pitrou

af7c602

2010-04-27 09:56:02 +0000

[diff] [blame]

1983

self.sock.settimeout(0.05)

Charles-François Natali

2014-07-23 19:28:13 +0100

[diff] [blame]

1984

self.sock.listen()

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

self.active = True

if self.flag:

# signal an event

self.flag.set()

while self.active:

try:

newconn, connaddr = self.sock.accept()

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

1992

if support.verbose and self.chatty:

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1993

sys.stdout.write(' server: new connection from '

Bill Janssen

2007-11-15 22:23:56 +0000

[diff] [blame]

1994

+ repr(connaddr) + '\n')

1995

handler = self.ConnectionHandler(self, newconn, connaddr)

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1996

handler.start()

Antoine Pitrou

eced82e

2012-01-27 17:33:01 +0100

[diff] [blame]

1997

handler.join()

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

1998

except socket.timeout:

1999

pass

2000

except KeyboardInterrupt:

2001

self.stop()

Bill Janssen

2007-11-15 22:23:56 +0000

[diff] [blame]

2002

self.sock.close()

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2003

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2004

def stop(self):

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2005

self.active = False

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2006

Bill Janssen

2007-12-14 22:08:56 +0000

[diff] [blame]

2007

class AsyncoreEchoServer(threading.Thread):

2008

2009

# this one's based on asyncore.dispatcher

2010

2011

class EchoServer (asyncore.dispatcher):

2012

2013

class ConnectionHandler (asyncore.dispatcher_with_send):

2014

2015

def __init__(self, conn, certfile):

2016

self.socket = ssl.wrap_socket(conn, server_side=True,

2017

certfile=certfile,

2018

do_handshake_on_connect=False)

2019

asyncore.dispatcher_with_send.__init__(self, self.socket)

Antoine Pitrou

2010-04-24 21:26:44 +0000

[diff] [blame]

2020

self._ssl_accepting = True

2021

self._do_ssl_handshake()

Bill Janssen

2007-12-14 22:08:56 +0000

[diff] [blame]

2022

2023

def readable(self):

2024

if isinstance(self.socket, ssl.SSLSocket):

2025

while self.socket.pending() > 0:

2026

self.handle_read_event()

2027

return True

2028

Antoine Pitrou

2010-04-24 21:26:44 +0000

[diff] [blame]

2029

def _do_ssl_handshake(self):

2030

try:

2031

self.socket.do_handshake()

Antoine Pitrou

41032a6

2011-10-27 23:56:55 +0200

[diff] [blame]

2032

except (ssl.SSLWantReadError, ssl.SSLWantWriteError):

2033

return

2034

except ssl.SSLEOFError:

2035

return self.handle_close()

2036

except ssl.SSLError:

Antoine Pitrou

2010-04-24 21:26:44 +0000

[diff] [blame]

2037

raise

Andrew Svetlov

2012-12-18 23:10:48 +0200

[diff] [blame]

2038

except OSError as err:

Antoine Pitrou

2010-04-24 21:26:44 +0000

[diff] [blame]

2039

if err.args[0] == errno.ECONNABORTED:

2040

return self.handle_close()

Bill Janssen

2007-12-14 22:08:56 +0000

[diff] [blame]

2041

else:

Antoine Pitrou

2010-04-24 21:26:44 +0000

[diff] [blame]

2042

self._ssl_accepting = False

2043

2044

def handle_read(self):

2045

if self._ssl_accepting:

2046

self._do_ssl_handshake()

2047

else:

2048

data = self.recv(1024)

2049

if support.verbose:

2050

sys.stdout.write(" server: read %s from client\n" % repr(data))

2051

if not data:

2052

self.close()

2053

else:

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2054

self.send(data.lower())

Bill Janssen

2007-12-14 22:08:56 +0000

[diff] [blame]

2055

2056

def handle_close(self):

Bill Janssen

2f5799b

2008-06-29 00:08:12 +0000

[diff] [blame]

2057

self.close()

Antoine Pitrou

2010-04-27 10:59:39 +0000

[diff] [blame]

2058

if support.verbose:

Bill Janssen

2007-12-14 22:08:56 +0000

[diff] [blame]

2059

sys.stdout.write(" server: closed connection %s\n" % self.socket)

2060

2061

def handle_error(self):

2062

raise

2063

Antoine Pitrou

2010-04-27 08:53:36 +0000

[diff] [blame]

2064

def __init__(self, certfile):

Bill Janssen

2007-12-14 22:08:56 +0000

[diff] [blame]

2065

self.certfile = certfile

Antoine Pitrou

2010-04-27 08:53:36 +0000

[diff] [blame]

2066

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

2067

self.port = support.bind_port(sock, '')

2068

asyncore.dispatcher.__init__(self, sock)

Bill Janssen

2007-12-14 22:08:56 +0000

[diff] [blame]

2069

self.listen(5)

2070

Giampaolo Rodolà

977c707

2010-10-04 21:08:36 +0000

[diff] [blame]

2071

def handle_accepted(self, sock_obj, addr):

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

2072

if support.verbose:

Bill Janssen

2007-12-14 22:08:56 +0000

[diff] [blame]

2073

sys.stdout.write(" server: new connection from %s:%s\n" %addr)

2074

self.ConnectionHandler(sock_obj, self.certfile)

2075

2076

def handle_error(self):

2077

raise

2078

Trent Nelson

7852000

2008-04-10 20:54:35 +0000

[diff] [blame]

2079

def __init__(self, certfile):

Bill Janssen

2007-12-14 22:08:56 +0000

[diff] [blame]

2080

self.flag = None

2081

self.active = False

Antoine Pitrou

2010-04-27 08:53:36 +0000

[diff] [blame]

2082

self.server = self.EchoServer(certfile)

2083

self.port = self.server.port

Bill Janssen

2007-12-14 22:08:56 +0000

[diff] [blame]

2084

threading.Thread.__init__(self)

Benjamin Peterson

4171da5

2008-08-18 21:11:09 +0000

[diff] [blame]

2085

self.daemon = True

Bill Janssen

2007-12-14 22:08:56 +0000

[diff] [blame]

2086

2087

def __str__(self):

2088

return "<%s %s>" % (self.__class__.__name__, self.server)

2089

Antoine Pitrou

2011-12-21 16:52:40 +0100

[diff] [blame]

2090

def __enter__(self):

2091

self.start(threading.Event())

2092

self.flag.wait()

Antoine Pitrou

2012-01-03 22:46:48 +0100

[diff] [blame]

2093

return self

Antoine Pitrou

2011-12-21 16:52:40 +0100

[diff] [blame]

2094

2095

def __exit__(self, *args):

2096

if support.verbose:

2097

sys.stdout.write(" cleanup: stopping server.\n")

2098

self.stop()

2099

if support.verbose:

2100

sys.stdout.write(" cleanup: joining server thread.\n")

2101

self.join()

2102

if support.verbose:

2103

sys.stdout.write(" cleanup: successfully joined.\n")

2104

Bill Janssen

2007-12-14 22:08:56 +0000

[diff] [blame]

2105

def start (self, flag=None):

2106

self.flag = flag

2107

threading.Thread.start(self)

2108

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2109

def run(self):

Bill Janssen

2007-12-14 22:08:56 +0000

[diff] [blame]

self.active = True

if self.flag:

self.flag.set()

while self.active:

try:

asyncore.loop(1)

except:

pass

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2119

def stop(self):

Bill Janssen

2007-12-14 22:08:56 +0000

[diff] [blame]

self.active = False

self.server.close()

Antoine Pitrou

2010-05-21 09:56:06 +0000

[diff] [blame]

2123

def server_params_test(client_context, server_context, indata=b"FOO\n",

Antoine Pitrou

2013-01-05 21:20:29 +0100

[diff] [blame]

2124

chatty=True, connectionchatty=False, sni_name=None):

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2125

"""

2126

Launch a server, connect a client to it and try various reads

2127

and writes.

2128

"""

Antoine Pitrou

2012-03-22 00:23:03 +0100

[diff] [blame]

2129

stats = {}

Antoine Pitrou

2010-05-21 09:56:06 +0000

[diff] [blame]

2130

server = ThreadedEchoServer(context=server_context,

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2131

chatty=chatty,

Bill Janssen

2007-11-15 22:23:56 +0000

[diff] [blame]

2132

connectionchatty=False)

Antoine Pitrou

2011-12-21 16:52:40 +0100

[diff] [blame]

2133

with server:

Antoine Pitrou

2013-01-05 21:20:29 +0100

[diff] [blame]

2134

with client_context.wrap_socket(socket.socket(),

2135

server_hostname=sni_name) as s:

Antoine Pitrou

eba63c4

2012-01-28 17:38:34 +0100

[diff] [blame]

2136

s.connect((HOST, server.port))

2137

for arg in [indata, bytearray(indata), memoryview(indata)]:

if connectionchatty:

if support.verbose:

sys.stdout.write(

" client: sending %r...\n" % indata)

s.write(arg)

outdata = s.read()

if connectionchatty:

if support.verbose:

sys.stdout.write(" client: read %r\n" % outdata)

2147

if outdata != indata.lower():

2148

raise AssertionError(

2149

"bad data <<%r>> (%d) received; expected <<%r>> (%d)\n"

2150

% (outdata[:20], len(outdata),

2151

indata[:20].lower(), len(indata)))

2152

s.write(b"over\n")

Antoine Pitrou

7d7aede

2009-11-25 18:55:32 +0000

[diff] [blame]

2153

if connectionchatty:

2154

if support.verbose:

Antoine Pitrou

eba63c4

2012-01-28 17:38:34 +0100

[diff] [blame]

2155

sys.stdout.write(" client: closing connection.\n")

Antoine Pitrou

2012-03-22 00:23:03 +0100

[diff] [blame]

2156

stats.update({

Antoine Pitrou

ce816a5

2012-01-28 17:40:23 +0100

[diff] [blame]

2157

'compression': s.compression(),

2158

'cipher': s.cipher(),

Antoine Pitrou

2013-01-05 21:20:29 +0100

[diff] [blame]

2159

'peercert': s.getpeercert(),

Benjamin Peterson

2015-01-23 16:35:37 -0500

[diff] [blame]

2160

'client_alpn_protocol': s.selected_alpn_protocol(),

Antoine Pitrou

2014-09-04 21:00:10 +0200

[diff] [blame]

2161

'client_npn_protocol': s.selected_npn_protocol(),

2162

'version': s.version(),

Antoine Pitrou

2012-03-22 00:23:03 +0100

[diff] [blame]

2163

})

Antoine Pitrou

eba63c4

2012-01-28 17:38:34 +0100

[diff] [blame]

2164

s.close()

Benjamin Peterson

2015-01-23 16:35:37 -0500

[diff] [blame]

2165

stats['server_alpn_protocols'] = server.selected_alpn_protocols

2166

stats['server_npn_protocols'] = server.selected_npn_protocols

Benjamin Peterson

2015-01-07 11:14:26 -0600

[diff] [blame]

2167

stats['server_shared_ciphers'] = server.shared_ciphers

Antoine Pitrou

2012-03-22 00:23:03 +0100

[diff] [blame]

2168

return stats

Thomas Wouters

2007-08-28 21:37:11 +0000

[diff] [blame]

2169

Antoine Pitrou

2010-05-21 09:56:06 +0000

[diff] [blame]

2170

def try_protocol_combo(server_protocol, client_protocol, expect_success,

2171

certsreqs=None, server_options=0, client_options=0):

Antoine Pitrou

2014-09-04 21:00:10 +0200

[diff] [blame]

2172

"""

2173

Try to SSL-connect using *client_protocol* to *server_protocol*.

2174

If *expect_success* is true, assert that the connection succeeds,

2175

if it's false, assert that the connection fails.

2176

Also, if *expect_success* is a string, assert that it is the protocol

2177

version actually used by the connection.

2178

"""

Benjamin Peterson

2a691a8

2008-03-31 01:51:45 +0000

[diff] [blame]

2179

if certsreqs is None:

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2180

certsreqs = ssl.CERT_NONE

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2181

certtype = {

2182

ssl.CERT_NONE: "CERT_NONE",

2183

ssl.CERT_OPTIONAL: "CERT_OPTIONAL",

2184

ssl.CERT_REQUIRED: "CERT_REQUIRED",

2185

}[certsreqs]

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

2186

if support.verbose:

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2187

formatstr = (expect_success and " %s->%s %s\n") or " {%s->%s} %s\n"

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2188

sys.stdout.write(formatstr %

2189

(ssl.get_protocol_name(client_protocol),

2190

ssl.get_protocol_name(server_protocol),

2191

certtype))

Antoine Pitrou

2010-05-21 09:56:06 +0000

[diff] [blame]

2192

client_context = ssl.SSLContext(client_protocol)

Antoine Pitrou

32c4915

2014-01-09 21:28:48 +0100

[diff] [blame]

2193

client_context.options |= client_options

Antoine Pitrou

2010-05-21 09:56:06 +0000

[diff] [blame]

2194

server_context = ssl.SSLContext(server_protocol)

Antoine Pitrou

32c4915

2014-01-09 21:28:48 +0100

[diff] [blame]

2195

server_context.options |= server_options

Antoine Pitrou

2013-03-28 22:24:43 +0100

[diff] [blame]

2196

2197

# NOTE: we must enable "ALL" ciphers on the client, otherwise an

2198

# SSLv23 client will send an SSLv3 hello (rather than SSLv2)

2199

# starting from OpenSSL 1.0.0 (see issue #8322).

2200

if client_context.protocol == ssl.PROTOCOL_SSLv23:

2201

client_context.set_ciphers("ALL")

2202

Antoine Pitrou

2010-05-21 09:56:06 +0000

[diff] [blame]

2203

for ctx in (client_context, server_context):

2204

ctx.verify_mode = certsreqs

Antoine Pitrou

2010-05-21 09:56:06 +0000

[diff] [blame]

2205

ctx.load_cert_chain(CERTFILE)

2206

ctx.load_verify_locations(CERTFILE)

2207

try:

Antoine Pitrou

2014-09-04 21:00:10 +0200

[diff] [blame]

2208

stats = server_params_test(client_context, server_context,

2209

chatty=False, connectionchatty=False)

Antoine Pitrou

2010-04-27 10:59:39 +0000

[diff] [blame]

2210

# Protocol mismatch can result in either an SSLError, or a

2211

# "Connection reset by peer" error.

2212

except ssl.SSLError:

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2213

if expect_success:

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2214

raise

Andrew Svetlov

2012-12-18 23:10:48 +0200

[diff] [blame]

2215

except OSError as e:

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2216

if expect_success or e.errno != errno.ECONNRESET:

Antoine Pitrou

2010-04-27 10:59:39 +0000

[diff] [blame]

2217

raise

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2218

else:

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2219

if not expect_success:

Antoine Pitrou

d75b2a9

2010-05-06 14:15:10 +0000

[diff] [blame]

2220

raise AssertionError(

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2221

"Client protocol %s succeeded with server protocol %s!"

2222

% (ssl.get_protocol_name(client_protocol),

2223

ssl.get_protocol_name(server_protocol)))

Antoine Pitrou

2014-09-04 21:00:10 +0200

[diff] [blame]

2224

elif (expect_success is not True

2225

and expect_success != stats['version']):

2226

raise AssertionError("version mismatch: expected %r, got %r"

2227

% (expect_success, stats['version']))

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2228

2229

Bill Janssen

2007-11-15 22:23:56 +0000

[diff] [blame]

2230

class ThreadedTests(unittest.TestCase):

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2231

Antoine Pitrou

2010-08-04 17:14:06 +0000

[diff] [blame]

2232

@skip_if_broken_ubuntu_ssl

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2233

def test_echo(self):

2234

"""Basic test of an SSL client connecting to a server"""

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

2235

if support.verbose:

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2236

sys.stdout.write("\n")

Antoine Pitrou

2010-05-21 09:56:06 +0000

[diff] [blame]

2237

for protocol in PROTOCOLS:

Antoine Pitrou

972d5bb

2013-03-29 17:56:03 +0100

[diff] [blame]

2238

with self.subTest(protocol=ssl._PROTOCOL_NAMES[protocol]):

2239

context = ssl.SSLContext(protocol)

2240

context.load_cert_chain(CERTFILE)

2241

server_params_test(context, context,

2242

chatty=True, connectionchatty=True)

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2243

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2244

def test_getpeercert(self):

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

2245

if support.verbose:

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2246

sys.stdout.write("\n")

Antoine Pitrou

2010-05-21 09:56:06 +0000

[diff] [blame]

2247

context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

2248

context.verify_mode = ssl.CERT_REQUIRED

2249

context.load_verify_locations(CERTFILE)

2250

context.load_cert_chain(CERTFILE)

2251

server = ThreadedEchoServer(context=context, chatty=False)

Antoine Pitrou

2011-12-21 16:52:40 +0100

[diff] [blame]

2252

with server:

Antoine Pitrou

20b8555

2013-09-29 19:50:53 +0200

[diff] [blame]

2253

s = context.wrap_socket(socket.socket(),

2254

do_handshake_on_connect=False)

Antoine Pitrou

2010-04-27 10:59:39 +0000

[diff] [blame]

2255

s.connect((HOST, server.port))

Antoine Pitrou

20b8555

2013-09-29 19:50:53 +0200

[diff] [blame]

2256

# getpeercert() raise ValueError while the handshake isn't

2257

# done.

2258

with self.assertRaises(ValueError):

2259

s.getpeercert()

2260

s.do_handshake()

Antoine Pitrou

2010-04-27 10:59:39 +0000

[diff] [blame]

2261

cert = s.getpeercert()

2262

self.assertTrue(cert, "Can't get peer certificate.")

2263

cipher = s.cipher()

2264

if support.verbose:

2265

sys.stdout.write(pprint.pformat(cert) + '\n')

2266

sys.stdout.write("Connection cipher is " + str(cipher) + '.\n')

2267

if 'subject' not in cert:

2268

self.fail("No subject field in certificate: %s." %

2269

pprint.pformat(cert))

2270

if ((('organizationName', 'Python Software Foundation'),)

2271

not in cert['subject']):

2272

self.fail(

2273

"Missing or invalid 'organizationName' field in certificate subject; "

2274

"should be 'Python Software Foundation'.")

Antoine Pitrou

fb04691

2010-11-09 20:21:19 +0000

[diff] [blame]

2275

self.assertIn('notBefore', cert)

2276

self.assertIn('notAfter', cert)

2277

before = ssl.cert_time_to_seconds(cert['notBefore'])

2278

after = ssl.cert_time_to_seconds(cert['notAfter'])

2279

self.assertLess(before, after)

Antoine Pitrou

2010-04-27 10:59:39 +0000

[diff] [blame]

2280

s.close()

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2281

Christian Heimes

2427b50

2013-11-23 11:24:32 +0100

[diff] [blame]

2282

@unittest.skipUnless(have_verify_flags(),

2283

"verify_flags need OpenSSL > 0.9.8")

Christian Heimes

2013-11-21 23:56:13 +0100

[diff] [blame]

2284

def test_crl_check(self):

2285

if support.verbose:

2286

sys.stdout.write("\n")

2287

2288

server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

2289

server_context.load_cert_chain(SIGNED_CERTFILE)

2290

2291

context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

2292

context.verify_mode = ssl.CERT_REQUIRED

2293

context.load_verify_locations(SIGNING_CA)

Benjamin Peterson

c3d9c5c

2015-03-04 23:18:48 -0500

[diff] [blame]

2294

tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)

2295

self.assertEqual(context.verify_flags, ssl.VERIFY_DEFAULT | tf)

Christian Heimes

2013-11-21 23:56:13 +0100

[diff] [blame]

2296

2297

# VERIFY_DEFAULT should pass

2298

server = ThreadedEchoServer(context=server_context, chatty=True)

2299

with server:

2300

with context.wrap_socket(socket.socket()) as s:

2301

s.connect((HOST, server.port))

2302

cert = s.getpeercert()

2303

self.assertTrue(cert, "Can't get peer certificate.")

2304

2305

# VERIFY_CRL_CHECK_LEAF without a loaded CRL file fails

Christian Heimes

32f0c7a

2013-11-22 03:43:48 +0100

[diff] [blame]

2306

context.verify_flags |= ssl.VERIFY_CRL_CHECK_LEAF

Christian Heimes

2013-11-21 23:56:13 +0100

[diff] [blame]

2307

2308

server = ThreadedEchoServer(context=server_context, chatty=True)

2309

with server:

2310

with context.wrap_socket(socket.socket()) as s:

2311

with self.assertRaisesRegex(ssl.SSLError,

2312

"certificate verify failed"):

2313

s.connect((HOST, server.port))

2314

2315

# now load a CRL file. The CRL file is signed by the CA.

2316

context.load_verify_locations(CRLFILE)

2317

2318

server = ThreadedEchoServer(context=server_context, chatty=True)

2319

with server:

2320

with context.wrap_socket(socket.socket()) as s:

2321

s.connect((HOST, server.port))

2322

cert = s.getpeercert()

2323

self.assertTrue(cert, "Can't get peer certificate.")

2324

Christian Heimes

2013-12-02 02:41:19 +0100

[diff] [blame]

2325

def test_check_hostname(self):

2326

if support.verbose:

2327

sys.stdout.write("\n")

2328

2329

server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

2330

server_context.load_cert_chain(SIGNED_CERTFILE)

2331

2332

context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

2333

context.verify_mode = ssl.CERT_REQUIRED

2334

context.check_hostname = True

2335

context.load_verify_locations(SIGNING_CA)

2336

2337

# correct hostname should verify

2338

server = ThreadedEchoServer(context=server_context, chatty=True)

2339

with server:

2340

with context.wrap_socket(socket.socket(),

2341

server_hostname="localhost") as s:

2342

s.connect((HOST, server.port))

2343

cert = s.getpeercert()

2344

self.assertTrue(cert, "Can't get peer certificate.")

2345

2346

# incorrect hostname should raise an exception

2347

server = ThreadedEchoServer(context=server_context, chatty=True)

2348

with server:

2349

with context.wrap_socket(socket.socket(),

2350

server_hostname="invalid") as s:

2351

with self.assertRaisesRegex(ssl.CertificateError,

2352

"hostname 'invalid' doesn't match 'localhost'"):

2353

s.connect((HOST, server.port))

2354

2355

# missing server_hostname arg should cause an exception, too

2356

server = ThreadedEchoServer(context=server_context, chatty=True)

2357

with server:

2358

with socket.socket() as s:

2359

with self.assertRaisesRegex(ValueError,

2360

"check_hostname requires server_hostname"):

2361

context.wrap_socket(s)

2362

Martin Panter

2016-01-30 03:41:43 +0000

[diff] [blame]

2363

def test_wrong_cert(self):

Martin Panter

3464ea2

2016-02-01 21:58:11 +0000

[diff] [blame]

2364

"""Connecting when the server rejects the client's certificate

2365

2366

Launch a server with CERT_REQUIRED, and check that trying to

2367

connect to it with a wrong client certificate fails.

2368

"""

2369

certfile = os.path.join(os.path.dirname(__file__) or os.curdir,

2370

"wrongcert.pem")

2371

server = ThreadedEchoServer(CERTFILE,

2372

certreqs=ssl.CERT_REQUIRED,

2373

cacerts=CERTFILE, chatty=False,

2374

connectionchatty=False)

2375

with server, \

2376

socket.socket() as sock, \

2377

ssl.wrap_socket(sock,

2378

certfile=certfile,

2379

ssl_version=ssl.PROTOCOL_TLSv1) as s:

2380

try:

2381

# Expect either an SSL error about the server rejecting

2382

# the connection, or a low-level connection reset (which

2383

# sometimes happens on Windows)

2384

s.connect((HOST, server.port))

2385

except ssl.SSLError as e:

2386

if support.verbose:

2387

sys.stdout.write("\nSSLError is %r\n" % e)

2388

except OSError as e:

2389

if e.errno != errno.ECONNRESET:

2390

raise

2391

if support.verbose:

2392

sys.stdout.write("\nsocket.error is %r\n" % e)

2393

else:

2394

self.fail("Use of invalid cert should have failed!")

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2395

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2396

def test_rude_shutdown(self):

Andrew Svetlov

2012-12-25 16:47:37 +0200

[diff] [blame]

2397

"""A brutal shutdown of an SSL server should raise an OSError

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2398

in the client when attempting handshake.

2399

"""

Trent Nelson

2008-04-10 20:12:06 +0000

[diff] [blame]

2400

listener_ready = threading.Event()

2401

listener_gone = threading.Event()

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2402

Antoine Pitrou

2010-04-27 08:53:36 +0000

[diff] [blame]

2403

s = socket.socket()

2404

port = support.bind_port(s, HOST)

Trent Nelson

2008-04-10 20:12:06 +0000

[diff] [blame]

2405

Antoine Pitrou

2010-04-27 08:53:36 +0000

[diff] [blame]

2406

# `listener` runs in a thread. It sits in an accept() until

2407

# the main thread connects. Then it rudely closes the socket,

2408

# and sets Event `listener_gone` to let the main thread know

2409

# the socket is gone.

Trent Nelson

2008-04-10 20:12:06 +0000

[diff] [blame]

2410

def listener():

Charles-François Natali

2014-07-23 19:28:13 +0100

[diff] [blame]

2411

s.listen()

Trent Nelson

2008-04-10 20:12:06 +0000

[diff] [blame]

2412

listener_ready.set()

Antoine Pitrou

2010-10-29 23:41:37 +0000

[diff] [blame]

2413

newsock, addr = s.accept()

2414

newsock.close()

Antoine Pitrou

2010-04-27 08:53:36 +0000

[diff] [blame]

2415

s.close()

Trent Nelson

2008-04-10 20:12:06 +0000

[diff] [blame]

listener_gone.set()

def connector():

listener_ready.wait()

Antoine Pitrou

2010-10-29 23:41:37 +0000

[diff] [blame]

2420

with socket.socket() as c:

2421

c.connect((HOST, port))

2422

listener_gone.wait()

2423

try:

2424

ssl_sock = ssl.wrap_socket(c)

Andrew Svetlov

2012-12-25 16:47:37 +0200

[diff] [blame]

2425

except OSError:

Antoine Pitrou

2010-10-29 23:41:37 +0000

[diff] [blame]

2426

pass

2427

else:

2428

self.fail('connecting to closed SSL socket should have failed')

Trent Nelson

2008-04-10 20:12:06 +0000

[diff] [blame]

2429

2430

t = threading.Thread(target=listener)

2431

t.start()

Antoine Pitrou

2010-04-27 08:53:36 +0000

[diff] [blame]

try:

connector()

finally:

t.join()

Trent Nelson

2008-04-10 20:12:06 +0000

[diff] [blame]

2436

Antoine Pitrou

2010-08-04 17:14:06 +0000

[diff] [blame]

2437

@skip_if_broken_ubuntu_ssl

Victor Stinner

2011-05-09 00:42:58 +0200

[diff] [blame]

2438

@unittest.skipUnless(hasattr(ssl, 'PROTOCOL_SSLv2'),

2439

"OpenSSL is compiled without SSLv2 support")

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2440

def test_protocol_sslv2(self):

2441

"""Connecting to an SSLv2 server with various client options"""

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

2442

if support.verbose:

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2443

sys.stdout.write("\n")

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2444

try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True)

2445

try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_OPTIONAL)

2446

try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_REQUIRED)

Antoine Pitrou

cd3d7ca

2014-01-09 20:02:20 +0100

[diff] [blame]

2447

try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False)

Victor Stinner

648b862

2014-12-12 12:23:59 +0100

[diff] [blame]

2448

if hasattr(ssl, 'PROTOCOL_SSLv3'):

2449

try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, False)

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2450

try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1, False)

Antoine Pitrou

2010-05-21 09:56:06 +0000

[diff] [blame]

2451

# SSLv23 client with specific SSL options

2452

if no_sslv2_implies_sslv3_hello():

2453

# No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs

2454

try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,

2455

client_options=ssl.OP_NO_SSLv2)

Antoine Pitrou

cd3d7ca

2014-01-09 20:02:20 +0100

[diff] [blame]

2456

try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,

Antoine Pitrou

2010-05-21 09:56:06 +0000

[diff] [blame]

2457

client_options=ssl.OP_NO_SSLv3)

Antoine Pitrou

cd3d7ca

2014-01-09 20:02:20 +0100

[diff] [blame]

2458

try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,

Antoine Pitrou

2010-05-21 09:56:06 +0000

[diff] [blame]

2459

client_options=ssl.OP_NO_TLSv1)

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2460

Antoine Pitrou

2010-08-04 17:14:06 +0000

[diff] [blame]

2461

@skip_if_broken_ubuntu_ssl

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2462

def test_protocol_sslv23(self):

2463

"""Connecting to an SSLv23 server with various client options"""

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

2464

if support.verbose:

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2465

sys.stdout.write("\n")

Victor Stinner

2011-05-09 00:42:58 +0200

[diff] [blame]

2466

if hasattr(ssl, 'PROTOCOL_SSLv2'):

2467

try:

2468

try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv2, True)

Andrew Svetlov

2012-12-18 23:10:48 +0200

[diff] [blame]

2469

except OSError as x:

Victor Stinner

2011-05-09 00:42:58 +0200

[diff] [blame]

2470

# this fails on some older versions of OpenSSL (0.9.7l, for instance)

2471

if support.verbose:

2472

sys.stdout.write(

2473

" SSL2 client to SSL23 server test unexpectedly failed:\n %s\n"

2474

% str(x))

Benjamin Peterson

2014-12-05 21:59:35 -0500

[diff] [blame]

2475

if hasattr(ssl, 'PROTOCOL_SSLv3'):

Benjamin Peterson

2015-11-11 22:38:41 -0800

[diff] [blame]

2476

try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False)

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2477

try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True)

Antoine Pitrou

2014-09-04 21:00:10 +0200

[diff] [blame]

2478

try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1')

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2479

Benjamin Peterson

2014-12-05 21:59:35 -0500

[diff] [blame]

2480

if hasattr(ssl, 'PROTOCOL_SSLv3'):

Benjamin Peterson

2015-11-11 22:38:41 -0800

[diff] [blame]

2481

try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL)

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2482

try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_OPTIONAL)

Antoine Pitrou

2014-09-04 21:00:10 +0200

[diff] [blame]

2483

try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2484

Benjamin Peterson

2014-12-05 21:59:35 -0500

[diff] [blame]

2485

if hasattr(ssl, 'PROTOCOL_SSLv3'):

Benjamin Peterson

2015-11-11 22:38:41 -0800

[diff] [blame]

2486

try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED)

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2487

try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_REQUIRED)

Antoine Pitrou

2014-09-04 21:00:10 +0200

[diff] [blame]

2488

try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2489

Antoine Pitrou

2010-05-21 09:56:06 +0000

[diff] [blame]

2490

# Server with specific SSL options

Benjamin Peterson

2014-12-05 21:59:35 -0500

[diff] [blame]

2491

if hasattr(ssl, 'PROTOCOL_SSLv3'):

2492

try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False,

Antoine Pitrou

2010-05-21 09:56:06 +0000

[diff] [blame]

2493

server_options=ssl.OP_NO_SSLv3)

2494

# Will choose TLSv1

2495

try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True,

2496

server_options=ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)

2497

try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, False,

2498

server_options=ssl.OP_NO_TLSv1)

2499

2500

Antoine Pitrou

2010-08-04 17:14:06 +0000

[diff] [blame]

2501

@skip_if_broken_ubuntu_ssl

Benjamin Peterson

2014-12-05 21:59:35 -0500

[diff] [blame]

2502

@unittest.skipUnless(hasattr(ssl, 'PROTOCOL_SSLv3'),

2503

"OpenSSL is compiled without SSLv3 support")

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2504

def test_protocol_sslv3(self):

2505

"""Connecting to an SSLv3 server with various client options"""

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

2506

if support.verbose:

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2507

sys.stdout.write("\n")

Antoine Pitrou

2014-09-04 21:00:10 +0200

[diff] [blame]

2508

try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3')

2509

try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_OPTIONAL)

2510

try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_REQUIRED)

Victor Stinner

2011-05-09 00:42:58 +0200

[diff] [blame]

2511

if hasattr(ssl, 'PROTOCOL_SSLv2'):

2512

try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv2, False)

Barry Warsaw

46ae0ef

2011-10-28 16:52:17 -0400

[diff] [blame]

2513

try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, False,

2514

client_options=ssl.OP_NO_SSLv3)

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2515

try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False)

Antoine Pitrou

2010-05-21 09:56:06 +0000

[diff] [blame]

2516

if no_sslv2_implies_sslv3_hello():

2517

# No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs

Benjamin Peterson

2015-11-11 22:38:41 -0800

[diff] [blame]

2518

try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23,

2519

False, client_options=ssl.OP_NO_SSLv2)

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2520

Antoine Pitrou

2010-08-04 17:14:06 +0000

[diff] [blame]

2521

@skip_if_broken_ubuntu_ssl

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2522

def test_protocol_tlsv1(self):

2523

"""Connecting to a TLSv1 server with various client options"""

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

2524

if support.verbose:

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2525

sys.stdout.write("\n")

Antoine Pitrou

2014-09-04 21:00:10 +0200

[diff] [blame]

2526

try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1')

2527

try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)

2528

try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)

Victor Stinner

2011-05-09 00:42:58 +0200

[diff] [blame]

2529

if hasattr(ssl, 'PROTOCOL_SSLv2'):

2530

try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False)

Benjamin Peterson

2014-12-05 21:59:35 -0500

[diff] [blame]

2531

if hasattr(ssl, 'PROTOCOL_SSLv3'):

2532

try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3, False)

Barry Warsaw

46ae0ef

2011-10-28 16:52:17 -0400

[diff] [blame]

2533

try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv23, False,

2534

client_options=ssl.OP_NO_TLSv1)

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2535

Antoine Pitrou

2013-03-28 22:24:43 +0100

[diff] [blame]

2536

@skip_if_broken_ubuntu_ssl

2537

@unittest.skipUnless(hasattr(ssl, "PROTOCOL_TLSv1_1"),

2538

"TLS version 1.1 not supported.")

2539

def test_protocol_tlsv1_1(self):

2540

"""Connecting to a TLSv1.1 server with various client options.

2541

Testing against older TLS versions."""

2542

if support.verbose:

2543

sys.stdout.write("\n")

Antoine Pitrou

2014-09-04 21:00:10 +0200

[diff] [blame]

2544

try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')

Antoine Pitrou

2013-03-28 22:24:43 +0100

[diff] [blame]

2545

if hasattr(ssl, 'PROTOCOL_SSLv2'):

2546

try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv2, False)

Benjamin Peterson

2014-12-05 21:59:35 -0500

[diff] [blame]

2547

if hasattr(ssl, 'PROTOCOL_SSLv3'):

2548

try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv3, False)

Antoine Pitrou

2013-03-28 22:24:43 +0100

[diff] [blame]

2549

try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv23, False,

2550

client_options=ssl.OP_NO_TLSv1_1)

2551

Antoine Pitrou

2014-09-04 21:00:10 +0200

[diff] [blame]

2552

try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')

Antoine Pitrou

2013-03-28 22:24:43 +0100

[diff] [blame]

2553

try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1, False)

2554

try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_1, False)

2555

2556

2557

@skip_if_broken_ubuntu_ssl

2558

@unittest.skipUnless(hasattr(ssl, "PROTOCOL_TLSv1_2"),

2559

"TLS version 1.2 not supported.")

2560

def test_protocol_tlsv1_2(self):

2561

"""Connecting to a TLSv1.2 server with various client options.

2562

Testing against older TLS versions."""

2563

if support.verbose:

2564

sys.stdout.write("\n")

Antoine Pitrou

2014-09-04 21:00:10 +0200

[diff] [blame]

2565

try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_2, 'TLSv1.2',

Antoine Pitrou

2013-03-28 22:24:43 +0100

[diff] [blame]

2566

server_options=ssl.OP_NO_SSLv3|ssl.OP_NO_SSLv2,

2567

client_options=ssl.OP_NO_SSLv3|ssl.OP_NO_SSLv2,)

2568

if hasattr(ssl, 'PROTOCOL_SSLv2'):

2569

try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv2, False)

Benjamin Peterson

2014-12-05 21:59:35 -0500

[diff] [blame]

2570

if hasattr(ssl, 'PROTOCOL_SSLv3'):

2571

try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv3, False)

Antoine Pitrou

2013-03-28 22:24:43 +0100

[diff] [blame]

2572

try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv23, False,

2573

client_options=ssl.OP_NO_TLSv1_2)

2574

Antoine Pitrou

2014-09-04 21:00:10 +0200

[diff] [blame]

2575

try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1_2, 'TLSv1.2')

Antoine Pitrou

2013-03-28 22:24:43 +0100

[diff] [blame]

2576

try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1, False)

2577

try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_2, False)

2578

try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_1, False)

2579

try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_2, False)

2580

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2581

def test_starttls(self):

2582

"""Switching from clear text to encrypted and back again."""

2583

msgs = (b"msg 1", b"MSG 2", b"STARTTLS", b"MSG 3", b"msg 4", b"ENDTLS", b"msg 5", b"msg 6")

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2584

Trent Nelson

7852000

2008-04-10 20:54:35 +0000

[diff] [blame]

2585

server = ThreadedEchoServer(CERTFILE,

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2586

ssl_version=ssl.PROTOCOL_TLSv1,

2587

starttls_server=True,

2588

chatty=True,

2589

connectionchatty=True)

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2590

wrapped = False

Antoine Pitrou

2011-12-21 16:52:40 +0100

[diff] [blame]

2591

with server:

Antoine Pitrou

2010-04-27 10:59:39 +0000

[diff] [blame]

2592

s = socket.socket()

2593

s.setblocking(1)

2594

s.connect((HOST, server.port))

2595

if support.verbose:

2596

sys.stdout.write("\n")

2597

for indata in msgs:

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

2598

if support.verbose:

Antoine Pitrou

2010-04-27 10:59:39 +0000

[diff] [blame]

2599

sys.stdout.write(

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2600

" client: sending %r...\n" % indata)

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2601

if wrapped:

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2602

conn.write(indata)

Antoine Pitrou

2010-04-27 10:59:39 +0000

[diff] [blame]

2603

outdata = conn.read()

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2604

else:

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2605

s.send(indata)

Antoine Pitrou

2010-04-27 10:59:39 +0000

[diff] [blame]

2606

outdata = s.recv(1024)

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2607

msg = outdata.strip().lower()

2608

if indata == b"STARTTLS" and msg.startswith(b"ok"):

2609

# STARTTLS ok, switch to secure mode

Antoine Pitrou

2010-04-27 10:59:39 +0000

[diff] [blame]

2610

if support.verbose:

Antoine Pitrou

2010-04-27 10:59:39 +0000

[diff] [blame]

2611

sys.stdout.write(

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2612

" client: read %r from server, starting TLS...\n"

2613

% msg)

Antoine Pitrou

2010-04-27 10:59:39 +0000

[diff] [blame]

2614

conn = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1)

2615

wrapped = True

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2616

elif indata == b"ENDTLS" and msg.startswith(b"ok"):

2617

# ENDTLS ok, switch back to clear text

Antoine Pitrou

2010-04-27 10:59:39 +0000

[diff] [blame]

2618

if support.verbose:

Antoine Pitrou

2010-04-27 10:59:39 +0000

[diff] [blame]

2619

sys.stdout.write(

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2620

" client: read %r from server, ending TLS...\n"

2621

% msg)

Antoine Pitrou

2010-04-27 10:59:39 +0000

[diff] [blame]

s = conn.unwrap()

wrapped = False

else:

if support.verbose:

Antoine Pitrou

2010-04-27 10:59:39 +0000

[diff] [blame]

2626

sys.stdout.write(

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2627

" client: read %r from server\n" % msg)

Antoine Pitrou

2010-04-27 10:59:39 +0000

[diff] [blame]

2628

if support.verbose:

2629

sys.stdout.write(" client: closing connection.\n")

2630

if wrapped:

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2631

conn.write(b"over\n")

Antoine Pitrou

2010-04-27 10:59:39 +0000

[diff] [blame]

2632

else:

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2633

s.send(b"over\n")

Bill Janssen

2007-11-15 22:23:56 +0000

[diff] [blame]

2634

if wrapped:

2635

conn.close()

2636

else:

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2637

s.close()

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2638

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2639

def test_socketserver(self):

2640

"""Using a SocketServer to create and manage SSL connections."""

Antoine Pitrou

da23259

2013-02-05 21:20:51 +0100

[diff] [blame]

2641

server = make_https_server(self, certfile=CERTFILE)

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2642

# try to connect

Antoine Pitrou

2010-10-13 10:36:15 +0000

[diff] [blame]

2643

if support.verbose:

2644

sys.stdout.write('\n')

2645

with open(CERTFILE, 'rb') as f:

2646

d1 = f.read()

2647

d2 = ''

2648

# now fetch the same data from the HTTPS server

Benjamin Peterson

4ffb075

2014-11-03 14:29:33 -0500

[diff] [blame]

2649

url = 'https://localhost:%d/%s' % (

2650

server.port, os.path.split(CERTFILE)[1])

2651

context = ssl.create_default_context(cafile=CERTFILE)

2652

f = urllib.request.urlopen(url, context=context)

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2653

try:

Barry Warsaw

820c120

2008-06-12 04:06:45 +0000

[diff] [blame]

2654

dlen = f.info().get("content-length")

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2655

if dlen and (int(dlen) > 0):

2656

d2 = f.read(int(dlen))

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

2657

if support.verbose:

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2658

sys.stdout.write(

2659

" client: read %d bytes from remote server '%s'\n"

2660

% (len(d2), server))

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2661

finally:

Antoine Pitrou

2010-10-13 10:36:15 +0000

[diff] [blame]

2662

f.close()

2663

self.assertEqual(d1, d2)

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

2664

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2665

def test_asyncore_server(self):

2666

"""Check the example asyncore integration."""

2667

indata = "TEST MESSAGE of mixed case\n"

Trent Nelson

2008-04-10 20:12:06 +0000

[diff] [blame]

2668

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

2669

if support.verbose:

Trent Nelson

2008-04-10 20:12:06 +0000

[diff] [blame]

2670

sys.stdout.write("\n")

2671

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2672

indata = b"FOO\n"

Trent Nelson

7852000

2008-04-10 20:54:35 +0000

[diff] [blame]

2673

server = AsyncoreEchoServer(CERTFILE)

Antoine Pitrou

2011-12-21 16:52:40 +0100

[diff] [blame]

2674

with server:

Trent Nelson

2008-04-10 20:12:06 +0000

[diff] [blame]

2675

s = ssl.wrap_socket(socket.socket())

Antoine Pitrou

2010-04-27 10:59:39 +0000

[diff] [blame]

2676

s.connect(('127.0.0.1', server.port))

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

2677

if support.verbose:

Trent Nelson

2008-04-10 20:12:06 +0000

[diff] [blame]

2678

sys.stdout.write(

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2679

" client: sending %r...\n" % indata)

2680

s.write(indata)

Antoine Pitrou

2010-04-27 10:59:39 +0000

[diff] [blame]

2681

outdata = s.read()

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

2682

if support.verbose:

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2683

sys.stdout.write(" client: read %r\n" % outdata)

Trent Nelson

2008-04-10 20:12:06 +0000

[diff] [blame]

2684

if outdata != indata.lower():

Antoine Pitrou

2010-04-27 10:59:39 +0000

[diff] [blame]

2685

self.fail(

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2686

"bad data <<%r>> (%d) received; expected <<%r>> (%d)\n"

2687

% (outdata[:20], len(outdata),

2688

indata[:20].lower(), len(indata)))

2689

s.write(b"over\n")

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

2690

if support.verbose:

Trent Nelson

2008-04-10 20:12:06 +0000

[diff] [blame]

2691

sys.stdout.write(" client: closing connection.\n")

2692

s.close()

Antoine Pitrou

ed98636

2010-08-15 23:28:10 +0000

[diff] [blame]

2693

if support.verbose:

2694

sys.stdout.write(" client: connection closed.\n")

Trent Nelson

2008-04-10 20:12:06 +0000

[diff] [blame]

2695

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2696

def test_recv_send(self):

2697

"""Test recv(), send() and friends."""

Bill Janssen

2008-09-08 16:45:19 +0000

[diff] [blame]

2698

if support.verbose:

2699

sys.stdout.write("\n")

2700

2701

server = ThreadedEchoServer(CERTFILE,

2702

certreqs=ssl.CERT_NONE,

2703

ssl_version=ssl.PROTOCOL_TLSv1,

2704

cacerts=CERTFILE,

2705

chatty=True,

2706

connectionchatty=False)

Antoine Pitrou

2011-12-21 16:52:40 +0100

[diff] [blame]

2707

with server:

2708

s = ssl.wrap_socket(socket.socket(),

server_side=False,

certfile=CERTFILE,

ca_certs=CERTFILE,

cert_reqs=ssl.CERT_NONE,

2713

ssl_version=ssl.PROTOCOL_TLSv1)

2714

s.connect((HOST, server.port))

Bill Janssen

2008-09-08 16:45:19 +0000

[diff] [blame]

2715

# helper methods for standardising recv* method signatures

2716

def _recv_into():

2717

b = bytearray(b"\0"*100)

2718

count = s.recv_into(b)

2719

return b[:count]

2720

2721

def _recvfrom_into():

2722

b = bytearray(b"\0"*100)

2723

count, addr = s.recvfrom_into(b)

2724

return b[:count]

2725

Martin Panter

2016-04-03 02:12:54 +0000

[diff] [blame]

2726

# (name, method, expect success?, *args, return value func)

Bill Janssen

2008-09-08 16:45:19 +0000

[diff] [blame]

2727

send_methods = [

Martin Panter

2016-04-03 02:12:54 +0000

[diff] [blame]

2728

('send', s.send, True, [], len),

2729

('sendto', s.sendto, False, ["some.address"], len),

2730

('sendall', s.sendall, True, [], lambda x: None),

Bill Janssen

2008-09-08 16:45:19 +0000

[diff] [blame]

2731

]

Martin Panter

2016-04-03 02:12:54 +0000

[diff] [blame]

2732

# (name, method, whether to expect success, *args)

Bill Janssen

2008-09-08 16:45:19 +0000

[diff] [blame]

2733

recv_methods = [

2734

('recv', s.recv, True, []),

2735

('recvfrom', s.recvfrom, False, ["some.address"]),

2736

('recv_into', _recv_into, True, []),

2737

('recvfrom_into', _recvfrom_into, False, []),

2738

]

2739

data_prefix = "PREFIX_"

2740

Martin Panter

2016-04-03 02:12:54 +0000

[diff] [blame]

2741

for (meth_name, send_meth, expect_success, args,

2742

ret_val_meth) in send_methods:

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2743

indata = (data_prefix + meth_name).encode('ascii')

Bill Janssen

2008-09-08 16:45:19 +0000

[diff] [blame]

2744

try:

Martin Panter

2016-04-03 02:12:54 +0000

[diff] [blame]

2745

ret = send_meth(indata, *args)

2746

msg = "sending with {}".format(meth_name)

2747

self.assertEqual(ret, ret_val_meth(indata), msg=msg)

Bill Janssen

2008-09-08 16:45:19 +0000

[diff] [blame]

2748

outdata = s.read()

Bill Janssen

2008-09-08 16:45:19 +0000

[diff] [blame]

2749

if outdata != indata.lower():

Georg Brandl

2010-03-14 10:23:39 +0000

[diff] [blame]

2750

self.fail(

Bill Janssen

2008-09-08 16:45:19 +0000

[diff] [blame]

2751

"While sending with <<{name:s}>> bad data "

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2752

"<<{outdata:r}>> ({nout:d}) received; "

2753

"expected <<{indata:r}>> ({nin:d})\n".format(

2754

name=meth_name, outdata=outdata[:20],

Bill Janssen

2008-09-08 16:45:19 +0000

[diff] [blame]

2755

nout=len(outdata),

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2756

indata=indata[:20], nin=len(indata)

Bill Janssen

2008-09-08 16:45:19 +0000

[diff] [blame]

2757

)

2758

)

2759

except ValueError as e:

2760

if expect_success:

Georg Brandl

2010-03-14 10:23:39 +0000

[diff] [blame]

2761

self.fail(

Bill Janssen

2008-09-08 16:45:19 +0000

[diff] [blame]

2762

"Failed to send with method <<{name:s}>>; "

2763

"expected to succeed.\n".format(name=meth_name)

2764

)

2765

if not str(e).startswith(meth_name):

Georg Brandl

2010-03-14 10:23:39 +0000

[diff] [blame]

2766

self.fail(

Bill Janssen

2008-09-08 16:45:19 +0000

[diff] [blame]

2767

"Method <<{name:s}>> failed with unexpected "

2768

"exception message: {exp:s}\n".format(

2769

name=meth_name, exp=e

)

)

for meth_name, recv_meth, expect_success, args in recv_methods:

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2774

indata = (data_prefix + meth_name).encode('ascii')

Bill Janssen

2008-09-08 16:45:19 +0000

[diff] [blame]

2775

try:

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2776

s.send(indata)

Bill Janssen

2008-09-08 16:45:19 +0000

[diff] [blame]

2777

outdata = recv_meth(*args)

Bill Janssen

2008-09-08 16:45:19 +0000

[diff] [blame]

2778

if outdata != indata.lower():

Georg Brandl

2010-03-14 10:23:39 +0000

[diff] [blame]

2779

self.fail(

Bill Janssen

2008-09-08 16:45:19 +0000

[diff] [blame]

2780

"While receiving with <<{name:s}>> bad data "

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2781

"<<{outdata:r}>> ({nout:d}) received; "

2782

"expected <<{indata:r}>> ({nin:d})\n".format(

2783

name=meth_name, outdata=outdata[:20],

Bill Janssen

2008-09-08 16:45:19 +0000

[diff] [blame]

2784

nout=len(outdata),

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2785

indata=indata[:20], nin=len(indata)

Bill Janssen

2008-09-08 16:45:19 +0000

[diff] [blame]

2786

)

2787

)

2788

except ValueError as e:

2789

if expect_success:

Georg Brandl

2010-03-14 10:23:39 +0000

[diff] [blame]

2790

self.fail(

Bill Janssen

2008-09-08 16:45:19 +0000

[diff] [blame]

2791

"Failed to receive with method <<{name:s}>>; "

2792

"expected to succeed.\n".format(name=meth_name)

2793

)

2794

if not str(e).startswith(meth_name):

Georg Brandl

2010-03-14 10:23:39 +0000

[diff] [blame]

2795

self.fail(

Bill Janssen

2008-09-08 16:45:19 +0000

[diff] [blame]

2796

"Method <<{name:s}>> failed with unexpected "

2797

"exception message: {exp:s}\n".format(

2798

name=meth_name, exp=e

)

)

# consume data

s.read()

Martin Panter

2016-03-28 00:22:09 +0000

[diff] [blame]

2804

# read(-1, buffer) is supported, even though read(-1) is not

Martin Panter

bed7f1a

2016-07-11 00:17:13 +0000

[diff] [blame]

2805

data = b"data"

Martin Panter

5503d47

2016-03-27 05:35:19 +0000

[diff] [blame]

2806

s.send(data)

2807

buffer = bytearray(len(data))

2808

self.assertEqual(s.read(-1, buffer), len(data))

2809

self.assertEqual(buffer, data)

2810

Nick Coghlan

513886a

2011-08-28 00:00:27 +1000

[diff] [blame]

2811

# Make sure sendmsg et al are disallowed to avoid

2812

# inadvertent disclosure of data and/or corruption

2813

# of the encrypted data stream

2814

self.assertRaises(NotImplementedError, s.sendmsg, [b"data"])

2815

self.assertRaises(NotImplementedError, s.recvmsg, 100)

2816

self.assertRaises(NotImplementedError,

2817

s.recvmsg_into, bytearray(100))

2818

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

2819

s.write(b"over\n")

Martin Panter

5503d47

2016-03-27 05:35:19 +0000

[diff] [blame]

2820

2821

self.assertRaises(ValueError, s.recv, -1)

2822

self.assertRaises(ValueError, s.read, -1)

2823

Bill Janssen

2008-09-08 16:45:19 +0000

[diff] [blame]

2824

s.close()

Bill Janssen

2008-09-08 16:45:19 +0000

[diff] [blame]

2825

Martin Panter

bed7f1a

2016-07-11 00:17:13 +0000

[diff] [blame]

2826

def test_recv_zero(self):

2827

server = ThreadedEchoServer(CERTFILE)

2828

server.__enter__()

2829

self.addCleanup(server.__exit__, None, None)

2830

s = socket.create_connection((HOST, server.port))

2831

self.addCleanup(s.close)

2832

s = ssl.wrap_socket(s, suppress_ragged_eofs=False)

2833

self.addCleanup(s.close)

2834

2835

# recv/read(0) should return no data

2836

s.send(b"data")

2837

self.assertEqual(s.recv(0), b"")

2838

self.assertEqual(s.read(0), b"")

2839

self.assertEqual(s.read(), b"data")

2840

2841

# Should not block if the other end sends no data

2842

s.setblocking(False)

2843

self.assertEqual(s.recv(0), b"")

2844

self.assertEqual(s.recv_into(bytearray()), 0)

2845

Antoine Pitrou

b4bebda

2014-04-29 10:03:28 +0200

[diff] [blame]

2846

def test_nonblocking_send(self):

2847

server = ThreadedEchoServer(CERTFILE,

2848

certreqs=ssl.CERT_NONE,

2849

ssl_version=ssl.PROTOCOL_TLSv1,

2850

cacerts=CERTFILE,

2851

chatty=True,

2852

connectionchatty=False)

2853

with server:

2854

s = ssl.wrap_socket(socket.socket(),

server_side=False,

certfile=CERTFILE,

ca_certs=CERTFILE,

cert_reqs=ssl.CERT_NONE,

2859

ssl_version=ssl.PROTOCOL_TLSv1)

2860

s.connect((HOST, server.port))

2861

s.setblocking(False)

2862

2863

# If we keep sending data, at some point the buffers

2864

# will be full and the call will block

2865

buf = bytearray(8192)

def fill_buffer():

while True:

s.send(buf)

self.assertRaises((ssl.SSLWantWriteError,

2870

ssl.SSLWantReadError), fill_buffer)

2871

2872

# Now read all the output and discard it

s.setblocking(True)

s.close()

Antoine Pitrou

2010-04-24 21:26:44 +0000

[diff] [blame]

2876

def test_handshake_timeout(self):

2877

# Issue #5103: SSL handshake must respect the socket timeout

2878

server = socket.socket(socket.AF_INET)

2879

host = "127.0.0.1"

2880

port = support.bind_port(server)

2881

started = threading.Event()

2882

finish = False

2883

2884

def serve():

Charles-François Natali

2014-07-23 19:28:13 +0100

[diff] [blame]

2885

server.listen()

Antoine Pitrou

2010-04-24 21:26:44 +0000

[diff] [blame]

started.set()

conns = []

while not finish:

r, w, e = select.select([server], [], [], 0.1)

2890

if server in r:

2891

# Let the socket hang around rather than having

2892

# it closed by garbage collection.

2893

conns.append(server.accept()[0])

Antoine Pitrou

2010-10-29 23:41:37 +0000

[diff] [blame]

2894

for sock in conns:

2895

sock.close()

Antoine Pitrou

2010-04-24 21:26:44 +0000

[diff] [blame]

2896

2897

t = threading.Thread(target=serve)

t.start()

started.wait()

try:

Antoine Pitrou

2010-04-24 22:04:40 +0000

[diff] [blame]

2902

try:

2903

c = socket.socket(socket.AF_INET)

2904

c.settimeout(0.2)

2905

c.connect((host, port))

2906

# Will attempt handshake and time out

Antoine Pitrou

c4df784

2010-12-03 19:59:41 +0000

[diff] [blame]

2907

self.assertRaisesRegex(socket.timeout, "timed out",

Ezio Melotti

2010-12-01 02:32:32 +0000

[diff] [blame]

2908

ssl.wrap_socket, c)

Antoine Pitrou

2010-04-24 22:04:40 +0000

[diff] [blame]

2909

finally:

2910

c.close()

Antoine Pitrou

2010-04-24 21:26:44 +0000

[diff] [blame]

2911

try:

2912

c = socket.socket(socket.AF_INET)

2913

c = ssl.wrap_socket(c)

2914

c.settimeout(0.2)

2915

# Will attempt handshake and time out

Antoine Pitrou

c4df784

2010-12-03 19:59:41 +0000

[diff] [blame]

2916

self.assertRaisesRegex(socket.timeout, "timed out",

Ezio Melotti

2010-12-01 02:32:32 +0000

[diff] [blame]

2917

c.connect, (host, port))

Antoine Pitrou

2010-04-24 21:26:44 +0000

[diff] [blame]

finally:

c.close()

finally:

finish = True

t.join()

server.close()

Antoine Pitrou

2012-11-11 01:25:36 +0100

[diff] [blame]

2925

def test_server_accept(self):

2926

# Issue #16357: accept() on a SSLSocket created through

2927

# SSLContext.wrap_socket().

2928

context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

2929

context.verify_mode = ssl.CERT_REQUIRED

2930

context.load_verify_locations(CERTFILE)

2931

context.load_cert_chain(CERTFILE)

2932

server = socket.socket(socket.AF_INET)

2933

host = "127.0.0.1"

2934

port = support.bind_port(server)

2935

server = context.wrap_socket(server, server_side=True)

2936

2937

evt = threading.Event()

remote = None

peer = None

def serve():

nonlocal remote, peer

Charles-François Natali

2014-07-23 19:28:13 +0100

[diff] [blame]

2942

server.listen()

Antoine Pitrou

5c89b4e

2012-11-11 01:25:36 +0100

[diff] [blame]

2943

# Block on the accept and wait on the connection to close.

2944

evt.set()

2945

remote, peer = server.accept()

2946

remote.recv(1)

2947

2948

t = threading.Thread(target=serve)

2949

t.start()

2950

# Client wait until server setup and perform a connect.

2951

evt.wait()

2952

client = context.wrap_socket(socket.socket())

2953

client.connect((host, port))

2954

client_addr = client.getsockname()

2955

client.close()

2956

t.join()

Antoine Pitrou

2013-01-12 21:54:44 +0100

[diff] [blame]

2957

remote.close()

2958

server.close()

Antoine Pitrou

5c89b4e

2012-11-11 01:25:36 +0100

[diff] [blame]

2959

# Sanity checks.

2960

self.assertIsInstance(remote, ssl.SSLSocket)

2961

self.assertEqual(peer, client_addr)

2962

Antoine Pitrou

242db72

2013-05-01 20:52:07 +0200

[diff] [blame]

2963

def test_getpeercert_enotconn(self):

2964

context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

2965

with context.wrap_socket(socket.socket()) as sock:

2966

with self.assertRaises(OSError) as cm:

2967

sock.getpeercert()

2968

self.assertEqual(cm.exception.errno, errno.ENOTCONN)

2969

2970

def test_do_handshake_enotconn(self):

2971

context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

2972

with context.wrap_socket(socket.socket()) as sock:

2973

with self.assertRaises(OSError) as cm:

2974

sock.do_handshake()

2975

self.assertEqual(cm.exception.errno, errno.ENOTCONN)

2976

Antoine Pitrou

2012-01-03 22:46:48 +0100

[diff] [blame]

2977

def test_default_ciphers(self):

2978

context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

2979

try:

2980

# Force a set of weak ciphers on our client context

2981

context.set_ciphers("DES")

2982

except ssl.SSLError:

2983

self.skipTest("no DES cipher available")

2984

with ThreadedEchoServer(CERTFILE,

2985

ssl_version=ssl.PROTOCOL_SSLv23,

2986

chatty=False) as server:

Antoine Pitrou

2013-01-12 21:54:44 +0100

[diff] [blame]

2987

with context.wrap_socket(socket.socket()) as s:

Andrew Svetlov

2012-12-18 23:10:48 +0200

[diff] [blame]

2988

with self.assertRaises(OSError):

Antoine Pitrou

2012-01-03 22:46:48 +0100

[diff] [blame]

2989

s.connect((HOST, server.port))

2990

self.assertIn("no shared cipher", str(server.conn_errors[0]))

2991

Antoine Pitrou

2014-09-04 21:00:10 +0200

[diff] [blame]

2992

def test_version_basic(self):

2993

"""

2994

Basic tests for SSLSocket.version().

2995

More tests are done in the test_protocol_*() methods.

2996

"""

2997

context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

2998

with ThreadedEchoServer(CERTFILE,

2999

ssl_version=ssl.PROTOCOL_TLSv1,

3000

chatty=False) as server:

3001

with context.wrap_socket(socket.socket()) as s:

3002

self.assertIs(s.version(), None)

3003

s.connect((HOST, server.port))

Christian Heimes

2016-09-05 23:19:05 +0200

[diff] [blame]

3004

self.assertEqual(s.version(), 'TLSv1')

Antoine Pitrou

2014-09-04 21:00:10 +0200

[diff] [blame]

3005

self.assertIs(s.version(), None)

3006

Antoine Pitrou

0bebbc3

2014-03-22 18:13:50 +0100

[diff] [blame]

3007

@unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")

3008

def test_default_ecdh_curve(self):

3009

# Issue #21015: elliptic curve-based Diffie Hellman key exchange

3010

# should be enabled by default on SSL contexts.

3011

context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

3012

context.load_cert_chain(CERTFILE)

Antoine Pitrou

c043061

2014-04-16 18:33:39 +0200

[diff] [blame]

3013

# Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled

3014

# explicitly using the 'ECCdraft' cipher alias. Otherwise,

3015

# our default cipher list should prefer ECDH-based ciphers

3016

# automatically.

3017

if ssl.OPENSSL_VERSION_INFO < (1, 0, 0):

3018

context.set_ciphers("ECCdraft:ECDH")

Antoine Pitrou

0bebbc3

2014-03-22 18:13:50 +0100

[diff] [blame]

3019

with ThreadedEchoServer(context=context) as server:

3020

with context.wrap_socket(socket.socket()) as s:

3021

s.connect((HOST, server.port))

3022

self.assertIn("ECDH", s.cipher()[0])

3023

Antoine Pitrou

2011-07-21 01:11:30 +0200

[diff] [blame]

3024

@unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,

3025

"'tls-unique' channel binding not available")

3026

def test_tls_unique_channel_binding(self):

3027

"""Test tls-unique channel binding."""

3028

if support.verbose:

3029

sys.stdout.write("\n")

3030

3031

server = ThreadedEchoServer(CERTFILE,

3032

certreqs=ssl.CERT_NONE,

3033

ssl_version=ssl.PROTOCOL_TLSv1,

3034

cacerts=CERTFILE,

3035

chatty=True,

3036

connectionchatty=False)

Antoine Pitrou

6b15c90

2011-12-21 16:54:45 +0100

[diff] [blame]

3037

with server:

3038

s = ssl.wrap_socket(socket.socket(),

server_side=False,

certfile=CERTFILE,

ca_certs=CERTFILE,

cert_reqs=ssl.CERT_NONE,

3043

ssl_version=ssl.PROTOCOL_TLSv1)

3044

s.connect((HOST, server.port))

Antoine Pitrou

2011-07-21 01:11:30 +0200

[diff] [blame]

3045

# get the data

3046

cb_data = s.get_channel_binding("tls-unique")

3047

if support.verbose:

3048

sys.stdout.write(" got channel binding data: {0!r}\n"

3049

.format(cb_data))

3050

3051

# check if it is sane

3052

self.assertIsNotNone(cb_data)

3053

self.assertEqual(len(cb_data), 12) # True for TLSv1

3054

3055

# and compare with the peers version

3056

s.write(b"CB tls-unique\n")

3057

peer_data_repr = s.read().strip()

3058

self.assertEqual(peer_data_repr,

3059

repr(cb_data).encode("us-ascii"))

s.close()

# now, again

s = ssl.wrap_socket(socket.socket(),

server_side=False,

certfile=CERTFILE,

ca_certs=CERTFILE,

cert_reqs=ssl.CERT_NONE,

3068

ssl_version=ssl.PROTOCOL_TLSv1)

3069

s.connect((HOST, server.port))

3070

new_cb_data = s.get_channel_binding("tls-unique")

3071

if support.verbose:

3072

sys.stdout.write(" got another channel binding data: {0!r}\n"

3073

.format(new_cb_data))

3074

# is it really unique

3075

self.assertNotEqual(cb_data, new_cb_data)

3076

self.assertIsNotNone(cb_data)

3077

self.assertEqual(len(cb_data), 12) # True for TLSv1

3078

s.write(b"CB tls-unique\n")

3079

peer_data_repr = s.read().strip()

3080

self.assertEqual(peer_data_repr,

3081

repr(new_cb_data).encode("us-ascii"))

3082

s.close()

Bill Janssen

2008-09-08 16:45:19 +0000

[diff] [blame]

3083

Antoine Pitrou

2011-12-20 10:13:40 +0100

[diff] [blame]

3084

def test_compression(self):

3085

context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

3086

context.load_cert_chain(CERTFILE)

3087

stats = server_params_test(context, context,

3088

chatty=True, connectionchatty=True)

3089

if support.verbose:

3090

sys.stdout.write(" got compression: {!r}\n".format(stats['compression']))

3091

self.assertIn(stats['compression'], { None, 'ZLIB', 'RLE' })

3092

3093

@unittest.skipUnless(hasattr(ssl, 'OP_NO_COMPRESSION'),

3094

"ssl.OP_NO_COMPRESSION needed for this test")

3095

def test_compression_disabled(self):

3096

context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

3097

context.load_cert_chain(CERTFILE)

Antoine Pitrou

8691bff

2011-12-20 10:47:42 +0100

[diff] [blame]

3098

context.options |= ssl.OP_NO_COMPRESSION

Antoine Pitrou

2011-12-20 10:13:40 +0100

[diff] [blame]

3099

stats = server_params_test(context, context,

3100

chatty=True, connectionchatty=True)

3101

self.assertIs(stats['compression'], None)

3102

Antoine Pitrou

2011-12-22 10:03:38 +0100

[diff] [blame]

3103

def test_dh_params(self):

3104

# Check we can get a connection with ephemeral Diffie-Hellman

3105

context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

3106

context.load_cert_chain(CERTFILE)

3107

context.load_dh_params(DHFILE)

3108

context.set_ciphers("kEDH")

3109

stats = server_params_test(context, context,

3110

chatty=True, connectionchatty=True)

3111

cipher = stats["cipher"][0]

3112

parts = cipher.split("-")

3113

if "ADH" not in parts and "EDH" not in parts and "DHE" not in parts:

3114

self.fail("Non-DH cipher: " + cipher[0])

3115

Benjamin Peterson

2015-01-23 16:35:37 -0500

[diff] [blame]

3116

def test_selected_alpn_protocol(self):

3117

# selected_alpn_protocol() is None unless ALPN is used.

3118

context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

3119

context.load_cert_chain(CERTFILE)

3120

stats = server_params_test(context, context,

3121

chatty=True, connectionchatty=True)

3122

self.assertIs(stats['client_alpn_protocol'], None)

3123

3124

@unittest.skipUnless(ssl.HAS_ALPN, "ALPN support required")

3125

def test_selected_alpn_protocol_if_server_uses_alpn(self):

3126

# selected_alpn_protocol() is None unless ALPN is used by the client.

3127

client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

3128

client_context.load_verify_locations(CERTFILE)

3129

server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

3130

server_context.load_cert_chain(CERTFILE)

3131

server_context.set_alpn_protocols(['foo', 'bar'])

3132

stats = server_params_test(client_context, server_context,

3133

chatty=True, connectionchatty=True)

3134

self.assertIs(stats['client_alpn_protocol'], None)

3135

3136

@unittest.skipUnless(ssl.HAS_ALPN, "ALPN support needed for this test")

3137

def test_alpn_protocols(self):

3138

server_protocols = ['foo', 'bar', 'milkshake']

3139

protocol_tests = [

3140

(['foo', 'bar'], 'foo'),

Benjamin Peterson

8861502

2015-01-23 17:30:26 -0500

[diff] [blame]

3141

(['bar', 'foo'], 'foo'),

Benjamin Peterson

2015-01-23 16:35:37 -0500

[diff] [blame]

3142

(['milkshake'], 'milkshake'),

Benjamin Peterson

8861502

2015-01-23 17:30:26 -0500

[diff] [blame]

3143

(['http/3.0', 'http/4.0'], None)

Benjamin Peterson

2015-01-23 16:35:37 -0500

[diff] [blame]

3144

]

3145

for client_protocols, expected in protocol_tests:

Christian Heimes

2016-09-05 23:19:05 +0200

[diff] [blame]

3146

server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)

Benjamin Peterson

2015-01-23 16:35:37 -0500

[diff] [blame]

3147

server_context.load_cert_chain(CERTFILE)

3148

server_context.set_alpn_protocols(server_protocols)

Christian Heimes

2016-09-05 23:19:05 +0200

[diff] [blame]

3149

client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)

Benjamin Peterson

2015-01-23 16:35:37 -0500

[diff] [blame]

3150

client_context.load_cert_chain(CERTFILE)

3151

client_context.set_alpn_protocols(client_protocols)

Benjamin Peterson

2015-01-23 16:35:37 -0500

[diff] [blame]

3152

Christian Heimes

2016-09-05 23:19:05 +0200

[diff] [blame]

3153

try:

3154

stats = server_params_test(client_context,

3155

server_context,

3156

chatty=True,

3157

connectionchatty=True)

3158

except ssl.SSLError as e:

3159

stats = e

3160

3161

if expected is None and IS_OPENSSL_1_1:

3162

# OpenSSL 1.1.0 raises handshake error

3163

self.assertIsInstance(stats, ssl.SSLError)

3164

else:

3165

msg = "failed trying %s (s) and %s (c).\n" \

3166

"was expecting %s, but got %%s from the %%s" \

3167

% (str(server_protocols), str(client_protocols),

3168

str(expected))

3169

client_result = stats['client_alpn_protocol']

3170

self.assertEqual(client_result, expected,

3171

msg % (client_result, "client"))

3172

server_result = stats['server_alpn_protocols'][-1] \

3173

if len(stats['server_alpn_protocols']) else 'nothing'

3174

self.assertEqual(server_result, expected,

3175

msg % (server_result, "server"))

Benjamin Peterson

2015-01-23 16:35:37 -0500

[diff] [blame]

3176

Antoine Pitrou

2012-03-22 00:23:03 +0100

[diff] [blame]

3177

def test_selected_npn_protocol(self):

3178

# selected_npn_protocol() is None unless NPN is used

3179

context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

3180

context.load_cert_chain(CERTFILE)

3181

stats = server_params_test(context, context,

3182

chatty=True, connectionchatty=True)

3183

self.assertIs(stats['client_npn_protocol'], None)

3184

3185

@unittest.skipUnless(ssl.HAS_NPN, "NPN support needed for this test")

3186

def test_npn_protocols(self):

3187

server_protocols = ['http/1.1', 'spdy/2']

3188

protocol_tests = [

3189

(['http/1.1', 'spdy/2'], 'http/1.1'),

3190

(['spdy/2', 'http/1.1'], 'http/1.1'),

3191

(['spdy/2', 'test'], 'spdy/2'),

3192

(['abc', 'def'], 'abc')

3193

]

3194

for client_protocols, expected in protocol_tests:

3195

server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

3196

server_context.load_cert_chain(CERTFILE)

3197

server_context.set_npn_protocols(server_protocols)

3198

client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

3199

client_context.load_cert_chain(CERTFILE)

3200

client_context.set_npn_protocols(client_protocols)

3201

stats = server_params_test(client_context, server_context,

3202

chatty=True, connectionchatty=True)

3203

3204

msg = "failed trying %s (s) and %s (c).\n" \

3205

"was expecting %s, but got %%s from the %%s" \

3206

% (str(server_protocols), str(client_protocols),

3207

str(expected))

3208

client_result = stats['client_npn_protocol']

3209

self.assertEqual(client_result, expected, msg % (client_result, "client"))

3210

server_result = stats['server_npn_protocols'][-1] \

3211

if len(stats['server_npn_protocols']) else 'nothing'

3212

self.assertEqual(server_result, expected, msg % (server_result, "server"))

3213

Antoine Pitrou

2013-01-05 21:20:29 +0100

[diff] [blame]

3214

def sni_contexts(self):

3215

server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

3216

server_context.load_cert_chain(SIGNED_CERTFILE)

3217

other_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

3218

other_context.load_cert_chain(SIGNED_CERTFILE2)

3219

client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

3220

client_context.verify_mode = ssl.CERT_REQUIRED

3221

client_context.load_verify_locations(SIGNING_CA)

3222

return server_context, other_context, client_context

3223

3224

def check_common_name(self, stats, name):

3225

cert = stats['peercert']

3226

self.assertIn((('commonName', name),), cert['subject'])

3227

3228

@needs_sni

3229

def test_sni_callback(self):

3230

calls = []

3231

server_context, other_context, client_context = self.sni_contexts()

3232

3233

def servername_cb(ssl_sock, server_name, initial_context):

3234

calls.append((server_name, initial_context))

Antoine Pitrou

50b24d0

2013-04-11 20:48:42 +0200

[diff] [blame]

3235

if server_name is not None:

3236

ssl_sock.context = other_context

Antoine Pitrou

2013-01-05 21:20:29 +0100

[diff] [blame]

3237

server_context.set_servername_callback(servername_cb)

3238

3239

stats = server_params_test(client_context, server_context,

3240

chatty=True,

3241

sni_name='supermessage')

3242

# The hostname was fetched properly, and the certificate was

3243

# changed for the connection.

3244

self.assertEqual(calls, [("supermessage", server_context)])

3245

# CERTFILE4 was selected

3246

self.check_common_name(stats, 'fakehostname')

3247

Antoine Pitrou

50b24d0

2013-04-11 20:48:42 +0200

[diff] [blame]

3248

calls = []

3249

# The callback is called with server_name=None

3250

stats = server_params_test(client_context, server_context,

3251

chatty=True,

3252

sni_name=None)

3253

self.assertEqual(calls, [(None, server_context)])

3254

self.check_common_name(stats, 'localhost')

3255

Antoine Pitrou

2013-01-05 21:20:29 +0100

[diff] [blame]

3256

# Check disabling the callback

3257

calls = []

3258

server_context.set_servername_callback(None)

3259

3260

stats = server_params_test(client_context, server_context,

3261

chatty=True,

3262

sni_name='notfunny')

3263

# Certificate didn't change

3264

self.check_common_name(stats, 'localhost')

3265

self.assertEqual(calls, [])

3266

3267

@needs_sni

3268

def test_sni_callback_alert(self):

3269

# Returning a TLS alert is reflected to the connecting client

3270

server_context, other_context, client_context = self.sni_contexts()

3271

3272

def cb_returning_alert(ssl_sock, server_name, initial_context):

3273

return ssl.ALERT_DESCRIPTION_ACCESS_DENIED

3274

server_context.set_servername_callback(cb_returning_alert)

3275

3276

with self.assertRaises(ssl.SSLError) as cm:

3277

stats = server_params_test(client_context, server_context,

3278

chatty=False,

3279

sni_name='supermessage')

3280

self.assertEqual(cm.exception.reason, 'TLSV1_ALERT_ACCESS_DENIED')

3281

3282

@needs_sni

3283

def test_sni_callback_raising(self):

3284

# Raising fails the connection with a TLS handshake failure alert.

3285

server_context, other_context, client_context = self.sni_contexts()

3286

3287

def cb_raising(ssl_sock, server_name, initial_context):

3288

1/0

3289

server_context.set_servername_callback(cb_raising)

3290

3291

with self.assertRaises(ssl.SSLError) as cm, \

3292

support.captured_stderr() as stderr:

3293

stats = server_params_test(client_context, server_context,

3294

chatty=False,

3295

sni_name='supermessage')

3296

self.assertEqual(cm.exception.reason, 'SSLV3_ALERT_HANDSHAKE_FAILURE')

3297

self.assertIn("ZeroDivisionError", stderr.getvalue())

3298

3299

@needs_sni

3300

def test_sni_callback_wrong_return_type(self):

3301

# Returning the wrong return type terminates the TLS connection

3302

# with an internal error alert.

3303

server_context, other_context, client_context = self.sni_contexts()

3304

3305

def cb_wrong_return_type(ssl_sock, server_name, initial_context):

3306

return "foo"

3307

server_context.set_servername_callback(cb_wrong_return_type)

3308

3309

with self.assertRaises(ssl.SSLError) as cm, \

3310

support.captured_stderr() as stderr:

3311

stats = server_params_test(client_context, server_context,

3312

chatty=False,

3313

sni_name='supermessage')

3314

self.assertEqual(cm.exception.reason, 'TLSV1_ALERT_INTERNAL_ERROR')

3315

self.assertIn("TypeError", stderr.getvalue())

3316

Benjamin Peterson

2015-01-07 11:14:26 -0600

[diff] [blame]

3317

def test_shared_ciphers(self):

Benjamin Peterson

aacd524

2015-01-07 11:42:38 -0600

[diff] [blame]

3318

server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

Benjamin Peterson

1504292

2015-01-07 22:12:43 -0600

[diff] [blame]

3319

server_context.load_cert_chain(SIGNED_CERTFILE)

3320

client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

3321

client_context.verify_mode = ssl.CERT_REQUIRED

3322

client_context.load_verify_locations(SIGNING_CA)

Christian Heimes

2016-09-05 23:19:05 +0200

[diff] [blame]

3323

if ssl.OPENSSL_VERSION_INFO >= (1, 0, 2):

3324

client_context.set_ciphers("AES128:AES256")

3325

server_context.set_ciphers("AES256")

alg1 = "AES256"

alg2 = "AES-256"

else:

client_context.set_ciphers("AES:3DES")

3330

server_context.set_ciphers("3DES")

alg1 = "3DES"

alg2 = "DES-CBC3"

Benjamin Peterson

2015-01-07 11:14:26 -0600

[diff] [blame]

3334

stats = server_params_test(client_context, server_context)

3335

ciphers = stats['server_shared_ciphers'][0]

3336

self.assertGreater(len(ciphers), 0)

3337

for name, tls_version, bits in ciphers:

Christian Heimes

2016-09-05 23:19:05 +0200

[diff] [blame]

3338

if not alg1 in name.split("-") and alg2 not in name:

3339

self.fail(name)

Benjamin Peterson

2015-01-07 11:14:26 -0600

[diff] [blame]

3340

Antoine Pitrou

60a26e0

2013-07-20 19:35:16 +0200

[diff] [blame]

3341

def test_read_write_after_close_raises_valuerror(self):

3342

context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

3343

context.verify_mode = ssl.CERT_REQUIRED

3344

context.load_verify_locations(CERTFILE)

3345

context.load_cert_chain(CERTFILE)

3346

server = ThreadedEchoServer(context=context, chatty=False)

3347

3348

with server:

3349

s = context.wrap_socket(socket.socket())

3350

s.connect((HOST, server.port))

3351

s.close()

3352

3353

self.assertRaises(ValueError, s.read, 1024)

Antoine Pitrou

2894073

2013-07-20 19:36:15 +0200

[diff] [blame]

3354

self.assertRaises(ValueError, s.write, b'hello')

Antoine Pitrou

60a26e0

2013-07-20 19:35:16 +0200

[diff] [blame]

3355

Giampaolo Rodola'

915d141

2014-06-11 03:54:30 +0200

[diff] [blame]

3356

def test_sendfile(self):

3357

TEST_DATA = b"x" * 512

3358

with open(support.TESTFN, 'wb') as f:

3359

f.write(TEST_DATA)

3360

self.addCleanup(support.unlink, support.TESTFN)

3361

context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

3362

context.verify_mode = ssl.CERT_REQUIRED

3363

context.load_verify_locations(CERTFILE)

3364

context.load_cert_chain(CERTFILE)

3365

server = ThreadedEchoServer(context=context, chatty=False)

3366

with server:

3367

with context.wrap_socket(socket.socket()) as s:

3368

s.connect((HOST, server.port))

3369

with open(support.TESTFN, 'rb') as file:

3370

s.sendfile(file)

3371

self.assertEqual(s.recv(1024), TEST_DATA)

3372

Antoine Pitrou

2011-12-20 10:13:40 +0100

[diff] [blame]

3373

Thomas Wouters

2007-08-28 21:37:11 +0000

[diff] [blame]

3374

def test_main(verbose=False):

Antoine Pitrou

2010-08-04 16:45:21 +0000

[diff] [blame]

3375

if support.verbose:

Berker Peksag

9e7990a

2015-05-16 23:21:26 +0300

[diff] [blame]

3376

import warnings

Antoine Pitrou

2010-08-04 16:45:21 +0000

[diff] [blame]

3377

plats = {

3378

'Linux': platform.linux_distribution,

3379

'Mac': platform.mac_ver,

3380

'Windows': platform.win32_ver,

3381

}

Berker Peksag

9e7990a

2015-05-16 23:21:26 +0300

[diff] [blame]

3382

with warnings.catch_warnings():

3383

warnings.filterwarnings(

3384

'ignore',

3385

'dist and linux_distribution '

3386

'functions are deprecated .*',

3387

PendingDeprecationWarning,

3388

)

3389

for name, func in plats.items():

3390

plat = func()

3391

if plat and plat[0]:

3392

plat = '%s %r' % (name, plat)

3393

break

3394

else:

3395

plat = repr(platform.platform())

Antoine Pitrou

2010-08-04 16:45:21 +0000

[diff] [blame]

3396

print("test_ssl: testing with %r %r" %

3397

(ssl.OPENSSL_VERSION, ssl.OPENSSL_VERSION_INFO))

3398

print(" under %s" % plat)

Antoine Pitrou

d532321

2010-10-22 18:19:07 +0000

[diff] [blame]

3399

print(" HAS_SNI = %r" % ssl.HAS_SNI)

Antoine Pitrou

609ef01

2013-03-29 18:09:06 +0100

[diff] [blame]

3400

print(" OP_ALL = 0x%8x" % ssl.OP_ALL)

3401

try:

3402

print(" OP_NO_TLSv1_1 = 0x%8x" % ssl.OP_NO_TLSv1_1)

3403

except AttributeError:

3404

pass

Antoine Pitrou

2010-08-04 16:45:21 +0000

[diff] [blame]

3405

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

3406

for filename in [

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

3407

CERTFILE, BYTES_CERTFILE,

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

3408

ONLYCERT, ONLYKEY, BYTES_ONLYCERT, BYTES_ONLYKEY,

Antoine Pitrou

2013-01-05 21:20:29 +0100

[diff] [blame]

3409

SIGNED_CERTFILE, SIGNED_CERTFILE2, SIGNING_CA,

Antoine Pitrou

2010-05-16 18:19:27 +0000

[diff] [blame]

3410

BADCERT, BADKEY, EMPTYCERT]:

3411

if not os.path.exists(filename):

3412

raise support.TestFailed("Can't read certificate file %r" % filename)

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

3413

Martin Panter

2016-03-27 01:53:46 +0000

[diff] [blame]

3414

tests = [

3415

ContextTests, BasicSocketTests, SSLErrorTests, MemoryBIOTests,

3416

SimpleBackgroundTests,

3417

]

Thomas Wouters

2007-08-28 21:37:11 +0000

[diff] [blame]

3418

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

3419

if support.is_resource_enabled('network'):

Bill Janssen

2007-11-15 22:23:56 +0000

[diff] [blame]

3420

tests.append(NetworkedTests)

Thomas Wouters

2007-08-28 21:37:11 +0000

[diff] [blame]

3421

Thomas Wouters

2007-09-19 03:06:30 +0000

[diff] [blame]

3422

if _have_threads:

Benjamin Peterson

2008-05-20 21:35:26 +0000

[diff] [blame]

3423

thread_info = support.threading_setup()

Antoine Pitrou

db5012a

2013-01-12 22:00:09 +0100

[diff] [blame]

3424

if thread_info:

Bill Janssen

2007-11-15 22:23:56 +0000

[diff] [blame]

3425

tests.append(ThreadedTests)

Thomas Wouters

2007-08-28 21:37:11 +0000

[diff] [blame]

3426

Antoine Pitrou

2010-04-28 21:37:09 +0000

[diff] [blame]

3427

try:

3428

support.run_unittest(*tests)

3429

finally:

3430

if _have_threads:

3431

support.threading_cleanup(*thread_info)

Thomas Wouters